search

geluk / pass-winmenu

An easy-to-use password manager for Windows, compatible with pass.
MIT License
385 stars 25 forks source link

Cache GPG passphrase indefinitely #64

Closed alexozer closed 4 years ago

alexozer commented 4 years ago

Is there any way to cache your GPG passphrase indefinitely, even as new passwords are decrypted? My master password is long and inconvenient to type constantly, and I suspect typing it often may be less secure than simply not.

willpower232 commented 4 years ago

Is this not already in pass-winmenu.yaml?

geluk commented 4 years ago

It is indeed! Check out the GPG agent configuration section here.

Note that if you have a gpg-agent running, you'll need to restart it before those changes take effect. You can check task manager for gpg-agent.exe and kill it, it'll automatically be started as soon as you try to decrypt a password.

alexozer commented 4 years ago

Ah I see, I've tried changing those settings before but didn't see an effect. I'll try restarting GPG agent.

alexozer commented 4 years ago

Unfortunately I've ran into the same issue I've encountered in the past, where changing the default timeout values don't seem to have effect. I'm still prompted for a password around an hour later, despite having these timeout values in my configuration:

    gpg-agent:
        # Gpg-agent can have a pretty long startup time on Windows. This option allows
        # the gpg-agent to be started alongside pass-winmenu so it'll be ready when
        # you need it.
        preload: true
        config:
            # Set this to true to allow pass-winmenu to manage some configuration keys in your
            # `gpg-agent.conf` file, allowing you to configure features like password timeout.
            allow-config-management: false
            # Add the following configuration keys to `gpg-agent.conf`:
            keys:
                # Remember your GPG passphrase for up to one hour.
                # Every time you decrypt a password within this one-hour timespan, the timer will reset.
                default-cache-ttl: 1000000000000000
                # This is the maximum amount of time gpg-agent will remember your passphrase
                # Once this amount of time has expired, gpg-agent will always ask you to re-enter it.
                max-cache-ttl: 10000000000000000000
geluk commented 4 years ago

You need to set allow-config-management: false to true as well, otherwise the changes won't be written to the gpg-agent configuration file. The deafult of false here is a safety precaution to ensure pass-winmenu doesn't automatically alter the GPG configuration files, since that may not be what everyone wants.

As an aside, I'm not sure how well gpg-agent will deal with such high TTL values, so if you still encounter issues, I'd try lowering them.

willpower232 commented 4 years ago

that amount of seconds is millions of years so bound to upset something :laughing:

alexozer commented 4 years ago

Setting allow-config-management to true seems to have worked, thanks!