Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gopass age auto-unlock on login #2350

Closed
maddovr opened this issue Sep 24, 2022 · 4 comments · Fixed by #2351
Closed

Gopass age auto-unlock on login #2350

maddovr opened this issue Sep 24, 2022 · 4 comments · Fixed by #2351
Assignees
@dominikschulz
Labels
age age-encryption.org backend
Milestone
1.14.8

Comments

@maddovr
Copy link

maddovr commented Sep 24, 2022
edited
Loading

Summary

I want to use gopass with age as my auth-source for managing my email passwords. I use mbsync/msmtp to read and send emails locally and I passed gopass mail/whatever as a command since the PassCmd option in both config accepts stdin and it works nicely, however age seems to forget the password every 5 minutes or so and I'm prompted with a pinentry dialog, which might be more secure but is bad UX since mbsync runs every 5 minutes to check for emails. Is there a solution to unlock age at login automatically (or just once per session?)

Edit: Could I do the autounlock if I added an ssh key as a recipient and then dumped it into ssh-agent? Also would adding a recipient re-encrypt the whole store to use that key instead?
@dominikschulz
Copy link
Member

I'm afraid but that's not supported today. I haven't closely followed if age itself did add some kind of persistent agent support.

But gopass had it for a while until I realized that it might be insecure so instead of shipping something which might be dangerous I removed it.

We could make a new attempt, but we'll need to make some careful changes around that (e.g. who can talk to the agent, unlocked private key material should not leave the agent, ...). Also possibly issues w/ OS specific keychains.

@dominikschulz dominikschulz added the age age-encryption.org backend label Sep 24, 2022
@dominikschulz
Copy link
Member

I have an work-in-progress branch that uses the OS keyring to cache the passphrase.

But I'm not sure I'm happy with the currently indefinite caching.

@dominikschulz dominikschulz self-assigned this Sep 24, 2022
@maddovr
Copy link
Author

maddovr commented Sep 24, 2022
edited
Loading

I have msmtp with three accounts and three different passwords, set to run every 5 minutes to check for my emails. That'd gotta be annoying to deal with. I think if we could make this a strictly opt-in feature, with a huge disclaimer "it's unsafe, do so at your own risk", it would be good for the users.
EDIT: Just to clarify, this problem is actually unique to age, since gpg-agent can and will cache the password if you want it to. And you can also hook it with pam if you so wish. So it's sorta of a feature-parity thing

dominikschulz added a commit to dominikschulz/gopass that referenced this issue Sep 24, 2022
@dominikschulz
Add askpass for age
e9a144c 
Fixes gopasspw#2350

RELEASE_NOTES=[ENHANCEMENT] Use OS keychain for age passpharse caching
(off by default).

Signed-off-by: Dominik Schulz <dominik.schulz@gauner.org>
@dominikschulz dominikschulz mentioned this issue Sep 24, 2022
Merged
@dominikschulz
Copy link
Member

I think we can add this as an optional feature (off by default) and let age adopters try and report feedback.

@dominikschulz dominikschulz added this to the 1.14.8 milestone Sep 24, 2022
AnomalRoil pushed a commit that referenced this issue Sep 27, 2022
@dominikschulz
Use OS Keyring to cache age passphrases (#2351)
ce95ddf 
* Use OS Keyring to cache age passphrases
* Add askpass for age

Fixes #2350

RELEASE_NOTES=[ENHANCEMENT] Use OS keychain for age passphrase caching (new config option, off by default).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dominikschulz dominikschulz

Labels
age age-encryption.org backend
Projects
None yet
Milestone
1.14.8
Development

Successfully merging a pull request may close this issue.

Use OS Keyring to cache age passphrases dominikschulz/gopass
2 participants
@dominikschulz @maddovr