The issue is, that I am using KeePass for my passwords which are long and random (as they should). Most passwords I don't even see, I just use Copy Password and paste it where I need it.
Now Pinentry blocks all c&p and the keyboard when it promts for password for my private key. Since I write alot of emails and I dont want to retype 20 random characters each few minutes, I can not need this behaviour of pinentry. I understand, that this behaviour is a feature and I understand the security idea of pinentry but I don't agree to it because it discurages the use of complicated, random passwords. Anyhow. How do I use Enigmail without pinentry stuff?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I use KeePass with Pinentry by using the Auto-Type feature. I added a custom sequence for the pinentry window (edit entry > Auto-Type) to be "{PASSWORD}" and then I use the global Auto-Type hotkey (default: Ctrl+Alt+A). Adding a custom rule for pinentry window is necessary for the global Auto-Type feature to know which password to use. Unfortunately this method only allows for one password for pinentry so if you use more than one account with different passwords this method won't work.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Pinentry, respectively gpg-agent can be configured to cache passphrases for a settable time. You don't have to enter it again and again. Gpg-agent caches different passphrases for different keys/accounts. Please read the documentation about gpg-agent for your plattform on how to achieve this.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sorry, I don't want workarounds, I want to use C&P. We have some office workplaces and I do not feel like fiddling around on all stations.
@Patrick: No you can not, the autor of pinentry does not want it to accept C&P, he says C&P is bad. I do not agree with his view, that makes use of pinentry with secure passwords inpracticable. He also says that if one saves a password in a file, he may aswell have no password at all. It seems like he never heard about password safes like Keepass. A major feature of keepass is, that you can work with as many passwords as you like, having them really long and random, without the need to even see your password once, what adds extra security, as long as your Keepass main password is safe. So you only have to learn one complicated password once and have hundreds of secure password on access by a click.
And, as someone once said: if a "feature" is not removeable then it's considered to be a bug instead.
The solution of caching passords is also not practicable, because this leaves the application literaly "open" for that time also, I don't see why disabling a security check (what caching passwords literaly is) should be a workaround to fix a bug in the password entry field.
I think, people should use more gpg instead of sending everything plaintext thru the web. gpg requieres secure passwords to be secure. If people face pinentry, they either start using insecure passwords - because they are easier to type, or won't use it at all. Both consequences are bad.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Well, tastes are different. I think that an open keepass may as well have the same consequences as a cached passphrase by Enigmail or gpg-agent. If your machine is busted, you're done.
To turn this discussion into something constructive: Pinentry is open source and free software. You can do whatever modifications are necessary to fit it to your needs. You may even ask on the gpg-users mailinglist for help, probably Werner will give you some hints how to achieve what you want.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello
Is there a way to have enigmail without pinentry?
The issue is, that I am using KeePass for my passwords which are long and random (as they should). Most passwords I don't even see, I just use Copy Password and paste it where I need it.
Now Pinentry blocks all c&p and the keyboard when it promts for password for my private key. Since I write alot of emails and I dont want to retype 20 random characters each few minutes, I can not need this behaviour of pinentry. I understand, that this behaviour is a feature and I understand the security idea of pinentry but I don't agree to it because it discurages the use of complicated, random passwords. Anyhow. How do I use Enigmail without pinentry stuff?
Pinentry is a mandatory requirement for GnuPG 2.x (not for Enigmail).
AFAIK, you can configure pinentry to accept copy & paste. Otherwise you have to use GnuPG 1.4.x.
I use KeePass with Pinentry by using the Auto-Type feature. I added a custom sequence for the pinentry window (edit entry > Auto-Type) to be "{PASSWORD}" and then I use the global Auto-Type hotkey (default: Ctrl+Alt+A). Adding a custom rule for pinentry window is necessary for the global Auto-Type feature to know which password to use. Unfortunately this method only allows for one password for pinentry so if you use more than one account with different passwords this method won't work.
Pinentry, respectively gpg-agent can be configured to cache passphrases for a settable time. You don't have to enter it again and again. Gpg-agent caches different passphrases for different keys/accounts. Please read the documentation about gpg-agent for your plattform on how to achieve this.
Sorry, I don't want workarounds, I want to use C&P. We have some office workplaces and I do not feel like fiddling around on all stations.
@Patrick: No you can not, the autor of pinentry does not want it to accept C&P, he says C&P is bad. I do not agree with his view, that makes use of pinentry with secure passwords inpracticable. He also says that if one saves a password in a file, he may aswell have no password at all. It seems like he never heard about password safes like Keepass. A major feature of keepass is, that you can work with as many passwords as you like, having them really long and random, without the need to even see your password once, what adds extra security, as long as your Keepass main password is safe. So you only have to learn one complicated password once and have hundreds of secure password on access by a click.
And, as someone once said: if a "feature" is not removeable then it's considered to be a bug instead.
The solution of caching passords is also not practicable, because this leaves the application literaly "open" for that time also, I don't see why disabling a security check (what caching passwords literaly is) should be a workaround to fix a bug in the password entry field.
I think, people should use more gpg instead of sending everything plaintext thru the web. gpg requieres secure passwords to be secure. If people face pinentry, they either start using insecure passwords - because they are easier to type, or won't use it at all. Both consequences are bad.
Well, tastes are different. I think that an open keepass may as well have the same consequences as a cached passphrase by Enigmail or gpg-agent. If your machine is busted, you're done.
To turn this discussion into something constructive: Pinentry is open source and free software. You can do whatever modifications are necessary to fit it to your needs. You may even ask on the gpg-users mailinglist for help, probably Werner will give you some hints how to achieve what you want.