Skip to main content

Use Trezor for GPG passphrases

Project description

# Trezor as a GPG passphrase

Using this, when GPG needs to unlock a key trezor_gpg will bring up a keypad to enter your Trezor PIN.

You may enter your PIN using the on-screen buttons. Alternatively you may use the keyboard grids

` w e r u i o 7 8 9 s d f j k l 4 5 6 x c v m , . 1 2 3 `

to enter your PIN. Press enter to submit the PIN, escape to cancel, or backspace to clear the PIN.

# Installation

gpg2 must be installed and on your PATH. This guide assumes you’re using the default GPG2 agent and not Seahorse.

  1. Run pip install trezor_gpg

  2. Find where it’s installed with by running which trezor_gpg

  3. Add this line to ~/.gnupg/gpg-agent.conf: pinentry-program /path/to/trezor_gpg

  4. Run echo RELOADAGENT | gpg-connect-agent or restart your computer

### Setting up Trezor passphrases

  1. Run trezor_gpg -a KEY

If your key has an existing non-Trezor passphrase, you need to remove the passphrase with the default pinentry program first (before doing step 3 above).

### Removing a Trezor passphrase

  1. Run trezor_gpg -r KEY

### Disable redundant GPG passphrase cache You may also want to disable GPG passphrase caching sinze Trezor has it’s own cache period. Add this to gpg-agent.conf or modify the value if it’s already there: ` max-cache-ttl 0 ` and restart the agent via step 4 above.

### Configuration

Set these environment variables on your gpg-agent daemon, by overriding /usr/lib/systemd/user/gpg-agent.service for example.

  • PINENTRY_TREZOR_DEBUG = 1. Write logs to ~/.cache/trezor-gpg/log/debug.log

  • PINENTRY_TREZOR_DONT_FLASH = 1. Don’t show which keypad button was pressed when using the keyboard.

  • PINENTRY_TREZOR_KEYSET = 123456789. Use this letter grid for keyboard entry.

# Current Limitations

  • This doesn’t use locked memory, which means the decrypted passphrase may be written to disk if memory is paged out!

  • No support for TTY entry since Python getpass is hardcoded to a specific TTY

  • No mixed passphrase support - all passphrased keys must have Trezor passphrases or none

  • Passphrases are based on the key fingerprint so they can’t be changed

# How It Works

trezor_gpg acts as a pinentry program - when GPG needs to unlock an existing key or lock a new key it runs trezor_gpg. trezor_gpg treats the key’s fingerprint as an encrypted blob and decrypts it to use as a synthetic passphrase. The fingerprint is unique to the key and an inseparable property, so if you export the key and import it on another system trezor_gpg can still retrieve all the information it needs.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

trezor_gpg-0.0.4.tar.gz (5.7 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page