On 3/1/23 7:10 AM, efeizbudak wrote:
Hi all,
Hi,
I let mutt-wizard set a cron job which takes my password out
of pass, logs into the email server and fetches my mail every
5 minutes.
Can you re-architect this as a (pseudo) daemon so that you unlock it
once (or at least a LOT less often) and it stores the necessary
information in memory for subsequent re-use?
With this I have to unlock my key as frequently as the amount in
gpg-agent.conf's default-cache-ttl setting.
:-/
pam-gnupg has been suggested as a remedy to this problem but the
disclaimer on its page about dangerous bugs make me hesitant to use
it. What do you think about the security of it? It's only 500 SLOC
but I don't trust myself with reviewing the security of it.
I don't relish the idea of giving something the keys to the kingdom.
Could you re-configure things so that (a copy of) the requisite password
is accessible via a different set of GPG credentials specific to the
process that you're running? Then you could probably have just that set
of GPG credentials unprotected so that the script could use them as it
is today.
If neither of these options were possible I'd look into something like a
TPM and / or Yubikey wherein I could offload some of the GPG to it so
that the decryption key is physically tied to the source computer /and/
*where* *it* *can't* *be* *copied*.
I might also look into other authentication methods, e.g. TLS client
certificate, so that the script can do what it needs to without needing
to bother with GPG.
--
Grant. . . .
unix || die