search

romanz / trezor-agent

Hardware-based SSH/GPG/age agent
GNU Lesser General Public License v3.0
571 stars 150 forks source link

[Question] Should I not enter my pin via my pinentry-progam rather than my trezor? #325

Open doolio opened 4 years ago

doolio commented 4 years ago

So I may be a unique case amongst your users. I'm using my trezor (model T) along with pass to manage my passwords. I also use Emacs to interact with my password-store. There is an Emacs major mode and other packages that facilitate this. As the trezor-agent documentation suggests I configure run-agent.sh to use pinentry-emacs as my pinentry-program as follows:

--pin-entry-binary=pinentry-emacs
--passphrase-entry-binary=pinentry-emacs

which brings up the question whether a gpg-agent.conf where pinentry-program would normally be defined applies to trezor-gpg-agent?

This resolves this https://github.com/NicolasPetton/pass/issues/41 issue I was experiencing.

However, I still enter my PIN on the trezor itself. Is that expected if using a pinentry-program?

That same issue describes the number of times I'm prompted by my trezor to decrypt the specific GPG password files. Is it normal to be prompted more than once when accessing a GPG file. Thanks for your time.

romanz commented 4 years ago

Thanks for reporting this issue! I am actually also using pass with Trezor :)

Since Trezor model T supports on-device PIN entry, you shouldn't get notified to entry the PIN on your host machine. However, you will get on-device notification each time your decrypt a password - since Trezor needs to use the private GPG key to derive the (different) decryption key for each password stored.

doolio commented 4 years ago

Sorry for the late response.

you will get on-device notification each time your decrypt a password - since Trezor needs to use the private GPG key to derive the (different) decryption key for each password stored.

That's understood. However, I get on-device prompting more than once but this due my (mis-?) use of Emacs for which I'm still searching for a solution.

the question whether a gpg-agent.conf where pinentry-program would normally be defined applies to trezor-gpg-agent?

I presume gpg-agent.conf is not applicable to the trezor-gpg-agent. Can you confirm?

Thanks for your time.

Dehumanizer77 commented 7 months ago

Since Trezor model T supports on-device PIN entry, you shouldn't get notified to entry the PIN on your host machine.

In Trezor suite, you also have an option of entering password either on the device or on the machine...

doolio commented 7 months ago

In Trezor suite, you also have an option of entering password either on the device or on the machine

Do you? I can't seem to find such an option.

Dehumanizer77 commented 7 months ago

Of course you do... https://trezor.io/content/wysiwyg/Images_sorted/PUBLIC_ALL_Security_and_Privacy/Security_best_practices/Passphrase/Empower%20update/Passphrase%20and%20hidden%20wallets%201.png

doolio commented 7 months ago

You see this when you want to create a new wallet? I have the option to create a hidden wallet and if I do I presume I'll be presented with this GUI?

Dehumanizer77 commented 7 months ago

This is a default screen when connecting a Trezor if you have a passphrase enabled. There is no "creation" of hidden wallet, passphrase is simply said another seed word added to your seed, so every passphrase you enter is essentially a different wallet.