Reducing multiple passphrase entries
Hi. I've set the GPGPreference to remember passphrase for x seconds. But I still usually get asked twice for the passphrase soon after starting up. I think this is because one happens when I sign a message, another when I decrypt a message - even though it's the same private keys being used. This isn't urgent, but it would be nice if fixed when you have time. Thanks!
PS Would also be nice to have an option to remember passphrase until logout/shutdown, but yes I could just set a very large number of seconds
PPS Yes I know I could store the passphrase in my keychain, but I'd rather not :)
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Luke Le on 24 Apr, 2012 01:29 PM
Hi Ian,
please download the latest GPGMail version from http://nightly.gpgtools.org.
It includes a preference which will let you switch off the generation of the preview snippets, which are at fault for the multiple passphrase entries, especially if you use more than one GPG key and have messages encrypted messages for each key.
Let us know if it solves your problem.
2 Posted by Ian Brown on 24 Apr, 2012 02:54 PM
Thanks, that seems to have done the trick!
Ian.
Support Staff 3 Posted by Luke Le on 24 Apr, 2012 02:56 PM
Very nice!
We've also discussed your proposal to clean the passphrase cache on logout and will implement it.
Closing this discussion, feel free to open a new one any time!
Luke Le closed this discussion on 24 Apr, 2012 02:56 PM.
Ian Brown re-opened this discussion on 30 Apr, 2012 10:26 AM
4 Posted by Ian Brown on 30 Apr, 2012 10:31 AM
Hi. I see that your update hasn't quite done what I was asking. Let me explain further.
I have a long-term signature key pair. I also regularly generate shorter-life subkeys for encryption purposes.
I just sent a message to a colleague whose public key I have. I was asked once for my passphrase to unlock my long-term private key. The message was signed/encrypted and sent.
I then looked again at the message in my sent folder. I was asked again for my passphrase, to unlock my shorter-life private subkey - even though it's the same passphrase.
Since it will generally be the case that the same passphrase is used for keys and their subkeys, could you update your code so that it tries existing cached passphrases before asking users for a new one?
Even better, could you have an option to save sent messages (plus decrypted received messages) as plaintext (with a separate signature MIME part)? I use FileVault to protect my local storage. That way, when my shorter-life subkeys expire, I can delete the private part, preventing its future compromise.
Thanks!
Ian.
Support Staff 5 Posted by Steve on 22 May, 2012 11:53 AM
Does this Knowledge Base article answer your question?
http://support.gpgtools.org/kb/faq/can-i-store-my-passphrase-so-i-d...
If not, what functionality do you think is missing.
All the best,
steve
6 Posted by Ian Brown on 22 May, 2012 12:02 PM
Hi. No. I don't want to store my passphrase in my keychain. I have the other option set, but it is asking for the (same) passphrase when I need to sign messages (using my long-term private signature key) and decrypt messages (using a short-lifetime private decryption subkey).
Support Staff 7 Posted by Steve on 22 May, 2012 12:13 PM
I'm not sure I understand all terminology you use.
You use one key (sec) for signatures. You don't change it so you call it longtime.
Then you have another sec key you use to decrypt mails. You rotate that key so you call it short-lifetime.
Do I understand that correctly?
Those keys both have the identical mail address they make use of?
The idea behind that is, that you can rotate your sec key while your friends still can verify your signature because you didn't rotate that sec key? Is that the idea?
But they wouldn't be able to write to you encrypted mails without obtaining the new pub key, no?
I'm not sure I get the point of the scenario. Please help us understand.
8 Posted by Ian Brown on 22 May, 2012 12:22 PM
Yes to all your questions.
See http://tools.ietf.org/html/rfc4880#section-5.5.1.2 for the PGP standard section that explains this key-subkey structure.
The benefit is that when your encryption subkey pair expire, if you securely delete the private key, it cannot later be hacked or otherwise compromised and then used to decrypt captured ciphertext. More in section 1 of http://www.apache-ssl.org/openpgp-pfs.txt
Support Staff 9 Posted by Steve on 27 May, 2012 02:31 PM
Hey Ian,
this is basically a feature request for the people at www.gnupg.org
If gpg-agent can't find the passphrase in it's cache it would call up pinentry. pinentry would then look if a passphrase is saved in the mac keychain. if no -> pinentry window asks the user for that.
The problem here is, that gpg needs to ask the gpg-agent if there is a stored passphrase for the main key already. gpg asks twice for encrypting and signing. So your request makes sense but needs to be addressed in gpg itself. When that is done you should be fine. So feel free to get in touch with them via mailing list.
Hope this helps,
steve
10 Posted by Ian Brown on 27 May, 2012 03:19 PM
Ok. Thanks!
Support Staff 11 Posted by Steve on 27 May, 2012 03:22 PM
No problem. Sorry we can't offer an easy fix for this. But the people at gnupg.org are very kind and supportive. So good luck, I'm sure they are open to good feature requests.
All the best,
steve
Steve closed this discussion on 27 May, 2012 03:22 PM.