Gpg4win with Thunderbird/Enigmail: how to cache password forever?

I believe this may have been asked before, in fact I have spent the last two days reading all possible forums (not just this one) but I can’t find the right answer to fix my issue (or maybe I am too dumb), so I am going to try to ask for help here, hoping to find someone that can help me.

My System specs:
Windows 7 Home Premium - up to date
Thunderbird 52.6 32 bit
Enigmail 1.9.8.3 installed directly from Thunderbird addons
GPA (0.9.10) - GnuPG 2.0.30

gpg-agent.conf file contains this code:
default-cache-ttl 31536000
max-cache-ttl 31536000

gpg.cong file contains this code:
###++±-- GPGConf —+++###
utf8-strings
keyserver hkp://keys.gnupg.net
###++±-- GPGConf —+++### 12/11/17 09:35:23 W. Europe Standard Time

GPGConf edited this configuration file.

It will disable options before this marked block, but it will

never change anything below these lines.

My problem:
I want to cache my passphrase FOREVER, so that I do not have to type it in every time I reboot my computer and restart Thunderbird (I use a really long complex password and I can’t paste it in each time, I need it set once and forget it).

Currently, each time I reboot and start Thunderbird, when I try to read an encrypted email, I receive the attached message from pinentry.exe (see attached image). How can set up all this so it never asks me again to type in my password?

Capture2.PNG

Hi TS,
if I understand you correctly, you would want the passphrase to be cached
over reboots. If this is the case, then you would want to use a secret key without
a passphrase. (Combined with an encrypted file system, this may be just the security you’d want.)

Background: The caching of the passphrase in memory is to limit the exposure of your secret key, so it does not get saved on the filesystem unprotected. To be used after a reboot automatically, it has to be saved on the filesystem. If this is what you want, then using no passphrase maybe fine, which is just this: an unprotected secret key on the file system. Of course you should protect the filesystem by other means then, and if you have a reasonable file encryption that you unlock each reboot. :slight_smile:

Hi Bernhard, thanks for the answer.

I guess what you say could be a solution, but I am not sure GPA/gpg4win will let me create a key pair where my private secret key does not have a password?
I did not see that option (I admit I am not 100% knowledgeable on this procedure: private key creation without password).

Taking one step back: my business partner uses Mac and he has set up Thunderbird+Enigmail+GPGsuite and he has something in Apple that automatically takes care of/remember his password.

Is it not possible to have something similar in Windows with my current setup?

Hi ts,

yes you should be able to change your passphrase to an empty one.
(If not by GPA, then on the command line).

As for a credential store: I agree that it would be an improved solution if Gpg4win could offer a solution to have the operating system protect your private key and only unlock it when you are locked in. We haven’t done much research yet, how to implement something like this. Right now Gpg4win does not offer it (as far as I know).

Best Regards,
Bernhard

Ok, I am going to try this, are there any instructions on how to do it with the command line?

yes you should be able to change your passphrase to an empty one.
(If not by GPA, then on the command line).

Thank you for the help.
Best regards,
ts

Btw, I just tried to remove the passphrase from GPA/gpg interface and it did not work, I am attaching a screenshot of the various pop up windows that came up in sequence, from top to bottom.

Regards,
ts

Capture.PNG

Strange,
I just tested it both with Kleopatra and GPA and it worked with both for me, using Gpg4win-3.0.3. Could you possibly try with Kleopatra or on the command line.

On the command line it is:

gpg --edit-key

and then:
passwd

This might give us a better error message.

Its very ugly because it asks you the new passphrase for each subkey (so usually twice) but in my tests it works. ( We have a Bug for the duplicated question https://dev.gnupg.org/T2069 )

change-passphrase.gif

Thank you Andre!
You solved the problem, with Kleopatra, it worked.

Also Kleopatra allows me to copy and paste in the password, if I ever want to put a password back in, at least that way it’s not too bad as I don’t have to type in manually each time, so this is all great.

FYI before re-installing GPG4win 3.03 with Kleopatra included, I tried the command line as per your suggestion but it did not work, I am attaching a text file with the cmd screendump, per your perusal, to see what errors were in there after running the command line (the xs are for privacy):
gpg --edit-key xxxxxxxxxx

Best regards,
ts

screendump-cmd.txt (2.59 KB)

Hi Ts,
good that it is working with the current Gpg4win. :slight_smile:

Note that your command line screendump does not indicate failure.

Best Regards,
Bernhard

Ah, ok, good to know.
I started the process on the command line, then I thought it did not work because it popped up some small GUI window (which unfortunately I did not save to show you) and so I moved to Kleopatra to do the job from scratch, leaving the cmd prompt open.

On Kleopatra it worked fine.

Then I went back to the command line and noted now it was asking for a Y/N - I am not sure it was like that when I temporarily abandoned the command line, anyway sorry for the confusion, the bottom line is that the problem is resolved so thank you all for the help.

Regards,
ts

You are welcome!

(Feel free to recommend Gpg4win or chose a payment that matches your satisfaction next time. :wink: )

absolutely, will do!

I wanted to add one last question/layer as I think other people may encounter or have encountered the issue I did encounter, and they may be wondering how can we manage the password if we did not want to remove it but still don’t want to input it each time.

In other words: how can we do like the Mac of my friend that simply manages the password of GPG-suite (I know, ifferent software, but still…), so that he never has to bother about typing in or pasting in the password after each reboot?

Is there any program out there that we may use to manage the GPG4win private key password so that in some automatic fashion, each time we reboot and re-launch Thunderbird, we won’t have to worry about the password because that program will take care of this issue?

Of course it could be a password manager, but which one of the many out there would work with GPG4win and ensure a smooth, fully automated passphrase management for a case like the one described in this thread?

Feels like something that should be possible.
There are several tools of different OS that rely on the login credentials to gain access to otherwise hidden/locked content.

On MacOS that is, just like UAC on Windows, something that is quite frequently asked for, and it’s done AFTER the login, so just logging in isn’t enough for certain things.

You can’t add a wifi password to the “key storage” without giving your credentials.

Personally speaking, being asked for your credentials once, on reboot, shouldn’t be that much of a deal. But, IF the logon credentials are proper, and not just 123qwe, I’d be ok with services using those credentials to gain access to internal content.

Maybe I value security a step further, because I don’t even mind being asked for 2-factor-authentication several times a day. I realise that could be an annoyance for some. Still, we (more than likely all of us) have legal requirements to secure access to our data, so it’s just something I accept.

Sounds there is no one solution for MS Windows? Also under GNU/Linux it works like in macOS.

Hi!

It seems that the original problem that ts wp had, was solved.
So for new things, it makes sense to open a new topic.

Best,
Bernhard

Well, program called Kleopatra is NOT the solution - just tested. Haven’t seen any other solution for MS Windows similar to macOS Keychain or GNU/Linux Seahorse. This means WITHOUT human intervention seamlessly provide GPG key password over reboots. Sure I can start a new thread but I am asking pretty much the same thing. In browser there in MS Windows is possible to establish such seamless situation but not in apps like in macOS or GNU/Linux as far as I have found for now.

Hi Zero Conf,

from your description I do not understand the problem well enough.
So please open a new thread to describe your problem (and use case).
This way it can be understood much better.

Best Regards,
Bernhard