Page MenuHome GnuPG

unlocking gpg-agent via pam?
Open, NormalPublic

Description

Hello,

apparently there is no way at the moment to unlock gpg-agent on login via pam.
As envoy seems to be deprecated and not working due to gpgs change to the
password preset in 2.0, it would be very nice if we could native pam support to
unlock ssh and gpg keys on login.

Event Timeline

werner added a subscriber: werner.

I don't understand what you mean by unlocking gpg-agent. Can you please explain in detail what you try to achieve.

Hi,

what I mean by unlocking is the act of using the passphrase to load the gpg and ssh keys and hence not needing to tip the phrase again afterwards.

SO what I would like to see is this:
You log in into your session. For that you use a password. That password is validated through pam. The same password is passed to gpg-agent and hence unlocks it for the future.

Same situation for a screensaver. Screensaver pops on and I lock (i.e. unload the keys) gpg-agent. Once I give the right password to the screensaver who processes it through pam, I am back in my session with an unlocked gpg-agent.

In the past, you could use envoy for that but today this does not work anymore.

So this is basically 0what GNOME does with its keyring daemon and pinentry-gnome.

I am not to familiar with the gnome keyring but from looking it up on the arch wiki, it seems to have this single sign on capability.

For context, here's what the wisdom of the crowd is rigging together around GPG to get this single-sign-on feature: