Storing keys in Mac Keychain Access

optiondog's Avatar

optiondog

27 Nov, 2016 08:20 PM

I was getting frequent Mac Pinentry messages asking me to enter my passphrase. I tried storing my passphrase in GPG Prefs following the instructions. I set it for 86,400 seconds which is equal to 24 hours. It wouldn't let me set for 48 hours. (The default is only 600 seconds which doesn't even seem worth it) Even though I set for 24 hours, the pin entry message appeared less than 24 hours later. This time, in the dialog box, I checked the box to store my passphrase. So far I have not gotten anymore messages. But I'm just wondering, for future reference ,why the first method didn't let me set it for a longer period of time and why it didn't even work for the duration that I set it for.

  1. Support Staff 1 Posted by Steve on 01 Dec, 2016 06:18 PM

    Steve's Avatar

    Hey optiondog,

    did you type '86,400' for the amount of seconds your password should be cached? If so, could you retry your experiment with '86400' instead. I fear you may have set the caching tome to 86 seconds.

    Please see this KB-article on how to manage passwords for your keys.

    You now used another method and stored your password in the macOS keychain. Above KB article has the details.

    All the best,
    steve

  2. 2 Posted by optiondog on 01 Dec, 2016 11:16 PM

    optiondog's Avatar

    Thank you for your all your help.  
    I'm pretty sure I didn't enter a comma.  I initially tried 172,800 and it told me that I can't set it for that long so that means I didn't use a comma on that attempt.  Otherwise it would have allowed it.  And I when I changed it to 86,400 I don't think I suddenly decided to add a comma.  I just opened the prefs and there's no comma so even if I had typed a comma it apparently deleted it on it's own. It's stored now because I checked it in the dialog box when the pin entry message came up again.  
    BTW, I opened my Mac Keychain Access and it only shows one of my public keys stored.  I have created several keys and the one that shows as being stored is one that I don't even use.  I'm still not getting anymore pin entry messages (which is fine) but it seems like should be getting messages wanting me to store my other keys too.  Any idea why I'm not getting any?
    Still wondering how to locate my secret key too.  Are they supposed to be in the private-keys-v1.d folder?  That folder is empty.  There is a document called securing.gpg.  Is that it? Maybe you answered this in another recent message.  I'll check to see.
    Thanks

  3. Support Staff 3 Posted by Steve on 03 Dec, 2016 08:09 PM

    Steve's Avatar

    The current max. is 86999 seconds. We probably should limit the field to 5 digits and then allow 99999 as maximum.

    We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll stay in the loop and get notified as soon as we have news. Feel free to open a new discussions should you run into further problems or need assistance.

    Regarding macOS keychain storage: while you may have created more than one key, that doesn't necessarily mean, those already have their passwords stored in macOS keychain.

    Whenever the key is required to sign or decrypt you will be asked for your password (in case it is not stored in macOS keychain). So to trigger the dialog just sign some sample text in TextEdit with the respective key and pinentry should show.

    Secret keys are indeed stored in the securing.gpg file.

  4. 4 Posted by optiondog on 04 Dec, 2016 08:45 PM

    optiondog's Avatar

    I have several public keys but I only have one passphrase. So now that I have stored that passphrase by checking that box in that last pin entry message dialog box I got, shouldn't Mac Keychain Access show my other keys too since they're all associated with the same passphrase?
    After I checked the box to store my passphrase, I stopped receiving the messages so that would imply that by storing it this way I can store it for more that 86999 seconds.  
    It also implies that all my public keys are being stored, otherwise I would still be getting pin entry messages.  Those messages kept appearing without me having to sign any text with my key.
    Many thanks

  5. Support Staff 5 Posted by Steve on 12 Dec, 2016 10:41 AM

    Steve's Avatar

    No, that's not how things work. Passwords are not associated with all keys if they are the same. Thoughts about that:

    • you should never reuse passwords in more than one occasion (unless you have really good reason to do so) since it lowers security a lot and if you get compromised the entire security process collapses

    macOS keychain access can store your password but does so only in regards to a specific key. So to answer your question: you will have to store any password you want stored separately, even if it is an identical password (which again, is a policy, we would not recommend).

    The pinentry dialog is not related to usage of your public key. Those dialogs where probably triggered by either sending a signed mail or looking at encrypted mails for which in order to decrypt them access to your secret key was requested.

    All the best,
    steve

  6. 6 Posted by optiondog on 12 Dec, 2016 07:37 PM

    optiondog's Avatar

    The pin entry dialogs were appearing without me doing any of that.  In fact, on many occasions I would simply wake up my computer from sleep mode and the dialog would be there on my screen.  
    I never realized I was supposed to use different passwords.  When you say I should never reuse the password in more than one occasion, do you actually mean I should use a different password every time I encrypt or decrypt a message even if I'm using the same public key?  Or just use a different password for each different public key I use?  Either way I suppose I'll have to learn how to create different passwords.  Perhaps you have a link to some instructions on that?
    Thanks

  7. Support Staff 7 Posted by Steve on 15 Dec, 2016 11:52 AM

    Steve's Avatar

    Was Mail.app open when you put your machine to sleep? Try the same but make sure you select an empty folder or inbox before putting your computer to sleep. Then pinentry should not show up.

    What I meant by not using the same password was the (sadly) common practice to use one password for all your logins (and keys). That's not a good idea. If you get compromised due to whatever reasons, you got a real problem. So it is recommended to not re-use the same password. If you set a password for a certain OpenPGP key, that password remains the same of course. Unless you decide to change it every 6 months. Which again isn't such a bad idea, as long as you have a good way to keep track of your passwords.

    Password managers are one solution to the problem. They generate strong passwords. But again, it should be a software which you can trust. I would not use a web based password manager.

    If you prefere paper, you may want to look into creating diceware passwords https://en.wikipedia.org/wiki/Diceware.

  8. Steve closed this discussion on 20 Apr, 2017 03:00 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac