On Mon 2019-11-11 20:10:26 +0100, Ralph Seichter wrote: > I tried that by setting GPG_TTY to a fixed terminal, but while this > seemed to work on the first call, the second time I was prompted for a > password it was echoed, in cleartext, to the terminal. Is there a better > method to achieve what you proposed?
I don't fully understand the parameters of what you just posted here, but my understanding is that Werner Koch (GnuPG upstream) expects pinentry-tty or pinentry-curses to work in this dedicated terminal mode. If you can post a full and clear description of what you did and how it did not work as expected to https://dev.gnupg.org/ as a bug report, and point me to it, i am happy to try to make sure that report gets some kind of reasonable resolution from upstream (even though i probably don't have time to solve it myself). Let me know if you can't get an account working to report a bug on that system, i can probably grease the skids there too. >> To be clear about your threat model here: [...] > > Barring break-ins, nobody but me is logging in on that particular > server, so intercepting gpg-agent would be difficult. Access to the > Notmuch index would not be any easier, unless somebody physically > removed the hard drives. > > The lock/unlock operations to seems interesting, and, if it was based on > strong encryption, I would feel more comfortable. Are you thinking of > protecting just the index or the whole Maildir store? The latter would > not work for me, because Dovecot needs to access the data, and if only > the index is protected, I'd still need to decrypt messages within Emacs. This hypothetical subcommand would just protect the index. If the index is unlocked, and you're using: notmuch config set index.decrypt true Then you will be able to read your mail without access to your long-term secret key material because notmuch will stash a copy of the session key for each message in the index, and decryption can happen with that session key on its own. please read the index.decrypt section of notmuch-config(1) for more details. Regards, --dkg
signature.asc
Description: PGP signature
_______________________________________________ notmuch mailing list [email protected] https://notmuchmail.org/mailman/listinfo/notmuch
