Repetitive password typing using gopass with age backend

[anjos]

I'm trying to use gopass via an age backend to store chezmoi secrets. I initialised and configured gopass/age using a password-protected key. When I type gopass show <secret> everything seems to work. I have about 15 different secrets stored, that are used in various chezmoi templates via {{ gopass "..." }} and {{ gopassRaw "..." }}.

I'm experiencing a usability issue when gopass is used through chezmoi: Every time I invoke chezmoi apply I have to type-in the password for the age key multiple times (once per template entry that says {{ gopass "..." }}.

This works better when gopass uses a gnupg backend because it has an agent that stores the password once and remains active for a (configurable) amount of time.

Is there some setting I'm missing to avoid this repetitive password asking under these conditions? Or the only way to solve this would be to have an age key w/o password using a technique similar to what is suggested in the user guide?

Thanks in advance!

[anjos]

Apparently gopass does not accept using keys w/o password protection (which cannot be empty). This kind of rules out the suggestion above...

Alternatively, it is possible to use the form GOPASS_AGE_PASSWORD="<passphrase>" chezmoi diff to avoid the repetitive typing.

[twpayne]

As far as I can tell, gopass doesn't provide any time-limited session where you only have to type in your passphrase every N minutes when using the age backend. I think you get this when using the GnuPG backend as the passphrase is store in GnuPG's agent.

As an alternative, #4190 adds a builtin mode for gopass, similar to what chezmoi already offers for KeePassXC.

Would you be able to test this? You'll need to build chezmoi from PR #4190 and set gopass.mode to builtin in your configuration file, and then it should Just Work (tm).

[anjos]

Thanks for the quick reply. I'm on it.

[anjos]

@twpayne: the patch works like a charm 🚀 . It only asks me for the password once, and also solves another annoyance by by-passing pin entry issues with the terminal client I'm using (Kitty)! So, many thanks!

Is a release with this fix coming soon?

[twpayne]

Is a release with this fix coming soon?

Likely in about one week. chezmoi releases on roughly a two week cycle to avoid overwhelming downstream packagers, and the last release was last week.

[anjos]

BTW, will the pinentry config value also affect the way the password is read? Yes, it will!

[twpayne]

BTW, will the pinentry config value also affect the way the password is read?

Yes, chezmoi reads passwords with pinentry if it is configured. See

chezmoi/internal/cmd/prompt.go

Line 127 in 94f00d1

func (c *Config) readPassword(prompt string) (string, error) {

[anjos]

Beautiful, thanks!

[anjos]

@twpayne: could the same rationale be applicable to the age encryption support? As of now one has to type the password multiple times when chezmoi runs, if one wants to keep the encryption key password protected (i.e. not apply this trick).

Looking at the user guide, it seems that the built-in age support will not accept passphrases because "chezmoi needs to decrypt files regularly". If attainable, avoiding the repetition within the same call could improve this workflow a bit?

[twpayne]

Possibly, but not easily. As I understand it, age uses a variety of pluggable identity providers, and chezmoi cannot know ahead of time which ones an encrypted secret requires, i.e. chezmoi cannot tell if you're using a passphrase, YubiKey, an unencrypted private key file, or something else. Therefore, chezmoi cannot prompt for and cache a password or similar. My understanding might be incorrect, however.

[anjos]

Understood! Thanks for the explanation.