Use Trezor for GPG passphrases
Project description
# Trezor as a GPG passphrase
Using this, when GPG needs to unlock a key trezor_gpg will bring up a keypad to enter your Trezor PIN.
You may enter your PIN using the on-screen buttons. Alternatively you may use the keyboard grids
` w e r u i o 7 8 9 s d f j k l 4 5 6 x c v m , . 1 2 3 `
to enter your PIN. Press enter to submit the PIN, escape to cancel, or backspace to clear the PIN.
# Installation
gpg2 must be installed and on your PATH. This guide assumes you’re using the default GPG2 agent and not Seahorse.
Run pip install trezor_gpg
Find where it’s installed with by running which trezor_gpg
Add this line to ~/.gnupg/gpg-agent.conf: pinentry-program /path/to/trezor_gpg
Run echo RELOADAGENT | gpg-connect-agent or restart your computer
### Setting up Trezor passphrases
Run trezor_gpg -a KEY
If your key has an existing non-Trezor passphrase, you need to remove the passphrase with the default pinentry program first (before doing step 3 above).
### Removing a Trezor passphrase
Run trezor_gpg -r KEY
### Disable redundant GPG passphrase cache You may also want to disable GPG passphrase caching sinze Trezor has it’s own cache period. Add this to gpg-agent.conf or modify the value if it’s already there: ` max-cache-ttl 0 ` and restart the agent via step 4 above.
### Configuration
Set these environment variables on your gpg-agent daemon, by overriding /usr/lib/systemd/user/gpg-agent.service for example.
PINENTRY_TREZOR_DEBUG = 1. Write logs to ~/.cache/trezor-gpg/log/debug.log
PINENTRY_TREZOR_DONT_FLASH = 1. Don’t show which keypad button was pressed when using the keyboard.
PINENTRY_TREZOR_KEYSET = 123456789. Use this letter grid for keyboard entry.
# Current Limitations
This doesn’t use locked memory, which means the decrypted passphrase may be written to disk if memory is paged out!
No support for TTY entry since Python getpass is hardcoded to a specific TTY
No mixed passphrase support - all passphrased keys must have Trezor passphrases or none
Passphrases are based on the key fingerprint so they can’t be changed
# How It Works
trezor_gpg acts as a pinentry program - when GPG needs to unlock an existing key or lock a new key it runs trezor_gpg. trezor_gpg treats the key’s fingerprint as an encrypted blob and decrypts it to use as a synthetic passphrase. The fingerprint is unique to the key and an inseparable property, so if you export the key and import it on another system trezor_gpg can still retrieve all the information it needs.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.