How to cache gpg key passphrase with gpg-agent and keychain on Debian 10?

I have a Debian 10 server. I want to send email with msmtp and I need to cache a passphrase for a gpg key. The smtp password needed by msmtp is encrypted in a file using this gpg key. msmtp will use gpg to decrypt this file to get the smtp password. This line is present in the /etc/msmtprc file : passwordeval gpg --no-tty -q -d /etc/.msmtp-password.gpg **I'm trying to use gpg-agent and keychain to cache the password of the secret gpg key**. This way the system could send emails without asking password. I want that each time I boot the server **I submit the passphrase for the gpg key only once, the passphrase for the key will be cached until the next reboot**. (If I logout and login again I shouldn't need to submit the passphrase for the gpg key until the next reboot). I didn't succeed because when I logout from the remote host (Debian server), the gpg-agent stop. If I'm establishing a new connection via SSH keychain start a new agent with a new PID and the passphrase for the key is lost. Below you'll find what I did and I hope useful informations. I'll be happy if you could help me. My linux version cat /etc/issue Debian GNU/Linux 10 \n \l gpg version gpg --version gpg (GnuPG) 2.2.12 libgcrypt 1.8.4 We create a secret gpg key, a password for the key will be asked gpg --gen-key ... Nom réel : user@mdomain.tld Adresse électronique : user@mdomain.tld Vous avez sélectionné cette identité : « user@mdomain.tld  » ... les clefs publique et secrète ont été créées et signées. pub rsa3072 2020-10-15 [SC] [expire : 2022-10-15] 3C82AB1E9384F4A92CEBCE7077B1EDA25A942746 uid user@mdomain.tld sub rsa3072 2020-10-15 [E] [expire : 2022-10-15] We check the secret key gpg --list-secret-keys --with-keygrip ... sec rsa3072 2020-10-15 [SC] [expire : 2022-10-15] 3C82AB1E9384F4A92CEBCE7077B1EDA25A942746 Keygrip = 47CF9E2C933761CF1021731F72603B8291BB211C uid [ ultime ] user@mdomain.tld ssb rsa3072 2020-10-15 [E] [expire : 2022-10-15] Keygrip = 4133708B3FA225C4732A0F9FBD0053DEF937B46A We look at the PID of the gpg-agent process ps aux | grep gpg-agent root 738 17.1 0.0 81204 3864 ? SLs 16:55 0:04 /usr/bin/gpg-agent --supervised root 745 0.0 0.0 6092 824 pts/0 S+ 16:56 0:00 grep gpg-agent We check the keys known by gpg-agent gpg-connect-agent 'keyinfo --list' /bye S KEYINFO 47CF9E2C933761CF1021731F72603B8291BB211C D - - - P - - - S KEYINFO 4133708B3FA225C4732A0F9FBD0053DEF937B46A D - - - P - - - OK We check the gpg-agent options gpgconf --list-options gpg-agent Monitor:1:0:Options contrôlant la sortie de diagnostique:0:0:::: ... default-cache-ttl:24:0:oublier les codes personnels après N secondes:3:3:N:600:: default-cache-ttl-ssh:24:1:oublier les clefs SSH après N secondes:3:3:N:1800:: max-cache-ttl:24:2:définir la durée maximale du cache de code personnel à N secondes:3:3:N:7200:: max-cache-ttl-ssh:24:2:définir la durée maximale du cache de clef SSH à N secondes:3:3:N:7200:: ... pinentry-timeout:24:1:set the Pinentry timeout to N seconds:3:3:N:0:: default-cache-ttl and max-cache-ttl are too low, gpg-agent will cache the passphrase only 10 minutes. This is a too short period if you intend to use keychain. We can also add a log file. Default options can be changed by adding a gpg-agent.conf file. cat ~/.gnupg/gpg-agent.conf default-cache-ttl 31536000 max-cache-ttl 31536000 log-file /var/log/gpg-agent debug-level basic We check if new gpg-agent options have been added gpgconf --list-options gpg-agent Monitor:1:0:Options contrôlant la sortie de diagnostique:0:0:::: ... default-cache-ttl:24:0:oublier les codes personnels après N secondes:3:3:N:600::31536000 default-cache-ttl-ssh:24:1:oublier les clefs SSH après N secondes:3:3:N:1800:: max-cache-ttl:24:2:définir la durée maximale du cache de code personnel à N secondes:3:3:N:7200::31536000 max-cache-ttl-ssh:24:2:définir la durée maximale du cache de clef SSH à N secondes:3:3:N:7200:: ... pinentry-timeout:24:1:set the Pinentry timeout to N seconds:3:3:N:0:: We reload the gpg-agent configuration to activate the new options gpg-connect-agent reloadagent /bye OK Know we install keychain apt install -y keychain keychain version keychain -V * keychain 2.8.5 ~ http://www.funtoo.org We cache decrypted GPG keys with keychain keychain --eval --agents gpg 3C82AB1E9384F4A92CEBCE7077B1EDA25A942746 * keychain 2.8.5 ~ http://www.funtoo.org * Inheriting gpg-agent (738) GPG_AGENT_INFO=/run/user/0/gnupg/S.gpg-agent:738:1; export GPG_AGENT_INFO; * Adding 1 gpg key(s): 3C82AB1E9384F4A92CEBCE7077B1EDA25A942746 Because we entered the passphrase, the decrypted GPG key is now cached by gpg-agent (look at the 1) gpg-connect-agent 'keyinfo --list' /bye S KEYINFO 47CF9E2C933761CF1021731F72603B8291BB211C D - - 1 P - - - S KEYINFO 4133708B3FA225C4732A0F9FBD0053DEF937B46A D - - - P - - - OK We modify the .bashrc file. On next login keychain will find the decrypted GPG key cached by gpg-agent. On next reboot keychain will ask once the passphrase for the key until the next reboot cat ~/.bashrc ... # Note: PS1 and umask are already set in /etc/profile. You should not # need this unless you want different defaults for root. # PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ ' # umask 022 ... eval $(keychain --agents gpg) In order to check default-cache-ttl and max-cache-ttl we wait 700 seconds, more than gpg-agent default configuration jeudi 15 octobre 2020, 16:56:32 (UTC+0200) jeudi 15 octobre 2020, 17:08:12 (UTC+0200) We check the keys known by gpg-agent the decrypted GPG key is still cached by gpg-agent (look at the 1) gpg-connect-agent 'keyinfo --list' /bye S KEYINFO 47CF9E2C933761CF1021731F72603B8291BB211C D - - 1 P - - - S KEYINFO 4133708B3FA225C4732A0F9FBD0053DEF937B46A D - - - P - - - OK We create a file and encrypt it with the key (no passphrase is needed for encryption) touch file.txt && gpg -e -r user@mdomain.tld file.txt We decrypt the file. No passphrase is needed because the decrypted GPG key is still cached by gpg-agent after 700 seconds gpg --decrypt file.txt.gpg > file.txt gpg: chiffré avec une clef RSA de 3072 bits, identifiant 4E40A1918B514393, créée le 2020-10-15 « user@mdomain.tld  » We **logout and login again** to the remote host via ssh. At new login keychain can't find the previous gpg-agent with the cached key. Then keychain start a new gpg-agent but the cached key is lost... * keychain 2.8.5 ~ http://www.funtoo.org * Starting gpg-agent... Regards