trezor-agent icon indicating copy to clipboard operation
trezor-agent copied to clipboard
verified publisher icon romanz

[Question] Should I not enter my pin via my pinentry-progam rather than my trezor?

Open doolio opened this issue 5 years ago • 7 comments

So I may be a unique case amongst your users. I'm using my trezor (model T) along with pass to manage my passwords. I also use Emacs to interact with my password-store. There is an Emacs major mode and other packages that facilitate this. As the trezor-agent documentation suggests I configure run-agent.sh to use pinentry-emacs as my pinentry-program as follows:

--pin-entry-binary=pinentry-emacs
--passphrase-entry-binary=pinentry-emacs

which brings up the question whether a gpg-agent.conf where pinentry-program would normally be defined applies to trezor-gpg-agent?

This resolves this https://github.com/NicolasPetton/pass/issues/41 issue I was experiencing.

However, I still enter my PIN on the trezor itself. Is that expected if using a pinentry-program?

That same issue describes the number of times I'm prompted by my trezor to decrypt the specific GPG password files. Is it normal to be prompted more than once when accessing a GPG file. Thanks for your time.

doolio avatar Apr 16 '20 21:04 doolio

Thanks for reporting this issue! I am actually also using pass with Trezor :)

Since Trezor model T supports on-device PIN entry, you shouldn't get notified to entry the PIN on your host machine. However, you will get on-device notification each time your decrypt a password - since Trezor needs to use the private GPG key to derive the (different) decryption key for each password stored.

romanz avatar Apr 17 '20 11:04 romanz

Sorry for the late response.

you will get on-device notification each time your decrypt a password - since Trezor needs to use the private GPG key to derive the (different) decryption key for each password stored.

That's understood. However, I get on-device prompting more than once but this due my (mis-?) use of Emacs for which I'm still searching for a solution.

the question whether a gpg-agent.conf where pinentry-program would normally be defined applies to trezor-gpg-agent?

I presume gpg-agent.conf is not applicable to the trezor-gpg-agent. Can you confirm?

Thanks for your time.

doolio avatar May 03 '20 16:05 doolio

Since Trezor model T supports on-device PIN entry, you shouldn't get notified to entry the PIN on your host machine.

In Trezor suite, you also have an option of entering password either on the device or on the machine...

Dehumanizer77 avatar Apr 05 '24 20:04 Dehumanizer77

In Trezor suite, you also have an option of entering password either on the device or on the machine

Do you? I can't seem to find such an option.

doolio avatar Apr 05 '24 22:04 doolio

Of course you do... https://trezor.io/content/wysiwyg/Images_sorted/PUBLIC_ALL_Security_and_Privacy/Security_best_practices/Passphrase/Empower%20update/Passphrase%20and%20hidden%20wallets%201.png

Dehumanizer77 avatar Apr 06 '24 05:04 Dehumanizer77

You see this when you want to create a new wallet? I have the option to create a hidden wallet and if I do I presume I'll be presented with this GUI?

doolio avatar Apr 06 '24 12:04 doolio

This is a default screen when connecting a Trezor if you have a passphrase enabled. There is no "creation" of hidden wallet, passphrase is simply said another seed word added to your seed, so every passphrase you enter is essentially a different wallet.

Dehumanizer77 avatar Apr 06 '24 12:04 Dehumanizer77