Closed maddovr closed 2 years ago
I'm afraid but that's not supported today. I haven't closely followed if age itself did add some kind of persistent agent support.
But gopass had it for a while until I realized that it might be insecure so instead of shipping something which might be dangerous I removed it.
We could make a new attempt, but we'll need to make some careful changes around that (e.g. who can talk to the agent, unlocked private key material should not leave the agent, ...). Also possibly issues w/ OS specific keychains.
I have an work-in-progress branch that uses the OS keyring to cache the passphrase.
But I'm not sure I'm happy with the currently indefinite caching.
I have msmtp with three accounts and three different passwords, set to run every 5 minutes to check for my emails. That'd gotta be annoying to deal with. I think if we could make this a strictly opt-in feature, with a huge disclaimer "it's unsafe, do so at your own risk", it would be good for the users. EDIT: Just to clarify, this problem is actually unique to age, since gpg-agent can and will cache the password if you want it to. And you can also hook it with pam if you so wish. So it's sorta of a feature-parity thing
I think we can add this as an optional feature (off by default) and let age adopters try and report feedback.
Summary
I want to use gopass with age as my auth-source for managing my email passwords. I use mbsync/msmtp to read and send emails locally and I passed
gopass mail/whatever
as a command since the PassCmd option in both config accepts stdin and it works nicely, however age seems to forget the password every 5 minutes or so and I'm prompted with a pinentry dialog, which might be more secure but is bad UX since mbsync runs every 5 minutes to check for emails. Is there a solution to unlock age at login automatically (or just once per session?)Edit: Could I do the autounlock if I added an ssh key as a recipient and then dumped it into ssh-agent? Also would adding a recipient re-encrypt the whole store to use that key instead?