{ "info": { "author": "rendaw", "author_email": "spoo@zarbosoft.com", "bugtrack_url": null, "classifiers": [ "License :: OSI Approved :: BSD License" ], "description": "# Trezor as a GPG passphrase\n\nInstall with:\n```\npip install trezor-gpg\n```\n\nUsing this, when GPG needs to unlock a key `trezor_gpg` will bring up a keypad to enter your Trezor PIN.\n\nYou may enter your PIN using the on-screen buttons or the keyboard grids\n\n```\nw e r u i o 7 8 9\ns d f j k l 4 5 6\nx c v m , . 1 2 3\n```\n\nPress `enter` to submit the PIN, `escape` to cancel, or `backspace` to clear the PIN.\n\n# Advantages and disadvantages\n\n1. This prevents passphrase keylogging\n2. It uses a difficult passphrase by default\n3. It reduces the number of things you need to remember (assuming you already remember your Trezor PIN)\n\nIf you're using this for general encryption:\n\n* It doesn't protect your GPG secret from memory eavesdropping as would directly using Trezor's decrypt/encrypt functions\n\nIf you're using this for a password manager like `pass` or `gopass`:\n\n* If someone were to implement a direct-Trezor password manager without GPG the decryption key would never be in your computer memory, so unused passwords would be safer.\n\nAlso, see the current limitations discussed below.\n\n# Installation\n\n`gpg2` must be installed and on your `PATH`. This guide assumes you're using the default GPG2 agent and not Seahorse.\n\n1. Run `pip install trezor_gpg`\n2. Find where it's installed with by running `which trezor_gpg`\n3. Add this line to `~/.gnupg/gpg-agent.conf`: `pinentry-program /path/to/trezor_gpg`\n4. Run `echo RELOADAGENT | gpg-connect-agent` or restart your computer\n\n### Setting up Trezor passphrases\n\n1. Run `trezor_gpg -a KEY`\n\nIf your key has an existing non-Trezor passphrase, you need to remove the passphrase with the default pinentry program first (before doing step 3 above).\n\n**Note**: Responding to the old passphrase prompt requires `trezor_gpg` to identify certain prompt messages - if you have messages in a language other than English this may not work. Adding a passphrase may ask for you to press confirm on your Trezor up to 4 times.\n\n### Removing a Trezor passphrase\n\n1. Run `trezor_gpg -r KEY`\n\n**Note**: Responding to the new passphrase prompt requires `trezor_gpg` to identify certain prompt messages - if you have messages in a language other than English this may not work.\n\n### Disable redundant GPG passphrase cache\nYou may also want to disable GPG passphrase caching sinze Trezor has it's own cache period. Add this to `gpg-agent.conf` or modify the value if it's already there:\n```\nmax-cache-ttl 0\n```\nand restart the agent via step 4 above.\n\n### Configuration\n\nSet these environment variables on your `gpg-agent` daemon, by overriding `/usr/lib/systemd/user/gpg-agent.service` for example.\n\n* **PINENTRY_TREZOR_DEBUG** = `1`. Write logs to `~/.cache/trezor-gpg/log/debug.log`\n* **PINENTRY_TREZOR_DONT_FLASH** = `1`. Don't show which keypad button was pressed when using the keyboard.\n* **PINENTRY_TREZOR_KEYSET** = `123456789`. Use this letter grid for keyboard entry.\n\n# Current Limitations\n\n* This doesn't use locked memory, which means **the decrypted passphrase may be written to disk** if memory is paged out!\n* No support for TTY entry since Python `getpass` is hardcoded to a specific TTY\n* No mixed passphrase support - all passphrased keys must have Trezor passphrases or none\n* Passphrases are based on the key fingerprint so they can't be changed\n\n# How It Works\n\n`trezor_gpg` acts as a pinentry program - when GPG needs to unlock an existing key or lock a new key it runs `trezor_gpg`. `trezor_gpg` treats the key's fingerprint as an encrypted blob and decrypts it to use as a synthetic passphrase. The fingerprint is unique to the key and an inseparable property, so if you export the key and import it on another system `trezor_gpg` can still retrieve all the information it needs.", "description_content_type": null, "docs_url": null, "download_url": "https://github.com/rendaw/python-trezor-gpg/tarball/v0.0.6", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/rendaw/python-trezor-gpg", "keywords": "", "license": "BSD", "maintainer": "", "maintainer_email": "", "name": "trezor-gpg", "package_url": "https://pypi.org/project/trezor-gpg/", "platform": "", "project_url": "https://pypi.org/project/trezor-gpg/", "project_urls": { "Download": "https://github.com/rendaw/python-trezor-gpg/tarball/v0.0.6", "Homepage": "https://github.com/rendaw/python-trezor-gpg" }, "release_url": "https://pypi.org/project/trezor-gpg/0.0.6/", "requires_dist": null, "requires_python": "", "summary": "Use Trezor for GPG passphrases", "version": "0.0.6" }, "last_serial": 3599039, "releases": { "0.0.3": [ { "comment_text": "", "digests": { "md5": "2d75b78cba08d78d062cb9324ea2e19e", "sha256": "50c782deb0a122110b78f7de192021e96c5c506ccfc63feb521e605ae0577065" }, "downloads": -1, "filename": "trezor_gpg-0.0.3.tar.gz", "has_sig": false, "md5_digest": "2d75b78cba08d78d062cb9324ea2e19e", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5634, "upload_time": "2018-02-13T11:23:03", "url": "https://files.pythonhosted.org/packages/c9/29/a993b89fb2ff5f5ec3b1c7be4e0719074d4a908a51013f5baf4871717787/trezor_gpg-0.0.3.tar.gz" } ], "0.0.4": [ { "comment_text": "", "digests": { "md5": "fb5c138ca1aa06be466945ce31d7f272", "sha256": "958cf18a636fa21a28cfcaee6c5c5d5444887b5febf3781ac0de4ee043f21dce" }, "downloads": -1, "filename": "trezor_gpg-0.0.4.tar.gz", "has_sig": false, "md5_digest": "fb5c138ca1aa06be466945ce31d7f272", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5650, "upload_time": "2018-02-13T11:25:12", "url": "https://files.pythonhosted.org/packages/93/24/6d763233478be90ff08e9485d6116a04f9dd773aec5532501c7224cbcce3/trezor_gpg-0.0.4.tar.gz" } ], "0.0.6": [ { "comment_text": "", "digests": { "md5": "e00e8602ccead9648db630e34a2659e0", "sha256": "7a1381936042638eab1f12f8c39d1ef621cee09427850de75eb5538ca47079c9" }, "downloads": -1, "filename": "trezor_gpg-0.0.6.tar.gz", "has_sig": false, "md5_digest": "e00e8602ccead9648db630e34a2659e0", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6042, "upload_time": "2018-02-20T13:08:16", "url": "https://files.pythonhosted.org/packages/73/7b/f494452789b186a131b783a7134f305fa4380a3e05c936322214fef5ae5e/trezor_gpg-0.0.6.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "e00e8602ccead9648db630e34a2659e0", "sha256": "7a1381936042638eab1f12f8c39d1ef621cee09427850de75eb5538ca47079c9" }, "downloads": -1, "filename": "trezor_gpg-0.0.6.tar.gz", "has_sig": false, "md5_digest": "e00e8602ccead9648db630e34a2659e0", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6042, "upload_time": "2018-02-20T13:08:16", "url": "https://files.pythonhosted.org/packages/73/7b/f494452789b186a131b783a7134f305fa4380a3e05c936322214fef5ae5e/trezor_gpg-0.0.6.tar.gz" } ] }