Hi Mike, thanks for your answer. > I haven't tried it, but if I understand the problem correctly, it is actually > gpg-agent that requires the TTY. So when you run gpg-agent and type in the > password, you must keep that TTY open. Then your cron job must run *as the > same user* as the one that ran gpg-agent, or else it will spawn a new > gpg-agent.
Of course, when i insert the passphrase of the key for the first time, as i said, i do it personally by hand at server startup, so i do have a tty and an interaction with pass. The users for cron and mpop are the same too, and i already ensured there is only one gpg-agent instance available. These are the errors i get in mpop logs when the cron job executes: gpg: cannot open tty `/dev/tty': No such device or address mpop: cannot read output of 'pass <my_mail>' and when i tried to use --no-tty: gpg: Sorry, no terminal at all requested - can't get input mpop: cannot read output of 'pass <my_mail>' So mpop fails because gpg fails... No need to say that the script works when called from an interactive shell... > > Having said that, I think leaving a running gpg-agent with a very high TTL > around is dubious security. I agree, but after thinking a lot about it it seemed a feasible solution in my case... Anyways i use a specific key to only encrypt my mail tree in the password store, so when it is cached, if ever it is compromised, it can at most impact my mail accounts, but not the rest (but on the server i don't have the full pass tree as on my laptop)... in any case it would require a bit more effort than reading passwords stored in plain text from the configuration file. >Instead, I might think about using something like > EncFs or eCryptfs to encrypt the data rather than anything GPG-based. Sure. Mails, the password store itself and mpop files are already all stored in an encrypted loop file created with cryptmount, and this is nice for offline security... Anyways i was looking for a way to protect passwords when the server is up and running, and the protection shield of the filesystem encryption has been opened... Thanks again for your support. _______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
