0

Main Problem

I wanted to be more secure and convenient with my passwords and encryption so I have been trying to make GPG with Emacs work for my password store and SSH agent.

I have Emacs-Pinentry working as expected from VTerm whenever I run Pass or SSH commands. Whenever I run such a command from within an Org Mode Bash source block Emacs will hang, then after pressing C-g C-g the GUI Pinentry (gtk-2, I believe) will pop up. Typing in the password after quitting does let me use the rest of the commands without issue. I imagine the 'popup' element is just not comming up right.

Software & Configuration

I have set up GPG (2.2.32) and Emacs (29.0.50-1.0a5477b) with Emacs-Pinentry (0.1-1.dcc9ba0)on GNU Guix (5.19.8) and EXWM (0.26). The relevant config options are

~/.config/emacs/init.el
     (setq epa-pinentry-mode 'loopback)
     (setq epg-pinentry-mode 'loopback)
     (pinentry-start)
     (shell-command "gpg-connect-agent /bye")
     (setq auth-sources '(password-store))
     (auth-source-pass-enable)
~/.bashrc
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
~/.config/gnupg/gpg.conf
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
~/.config/gnupg/gpg-agent.conf
allow-emacs-pinentry
default-cache-ttl 3600
max-cache-ttl 60480000
default-cache-ttl 60480000
default-cache-ttl-ssh 60480000
max-cache-ttl-ssh 60480000
enable-ssh-support

Use Case

The use case for this if you want to know is to use Org Mode source blocks chained together to let me log into a PostgreSQL server so then I can run SQLAlchemy Python commands from within Org Mode to plot and notate nicely. In order to login, I first port forward using

#+BEGIN_SRC shell :shebang #!/home/zjabbar/.guix-home/profile/bin/bash -i :results silent
ssh -NfL ${PORT}:localhost:${PORT} zain@${IP}
#+END_SRC

Then use Pass to get a password relevant to the server

#+NAME: secret
#+BEGIN_SRC shell :shebang #!/home/zjabbar/.guix-home/profile/bin/bash -i :results silent
pass show postgres
#+END_SRC

Then use that to get a string which I will feed into SQLAlchemy

#+BEGIN_SRC python3 :var secret=secret :results silent
connect_string = f"postgresql://zain:{secret}@localhost:PORT/DBNAME
#+END_SRC

Do note, I am using an interactive shell from Org Mode using the shebang header argument. I have tried putting the same configuration from .bashrc to .bash_profile and it does not work. Moving to .bash_profile I think would also allow me to use sql-connect as currently I get a public key error (likely sql-connect cannot find gpg-agent or something). Also, the pass show command will output the text to the message buffer which still feels kind of bare for a secret password.

Please do give me further direction if I am doing something against infosec protocol. It's totally fine if you recomend using another cryptography workflow too.

Zain Jabbar
  • 11
  • 1
  • `auth-source` / `authifo` is the default way to store / retrieve passwords. Start from [Storing Database Authentication Details Securely](https://emacs.stackexchange.com/questions/67986/storing-database-authentication-details-securely). `M-x apropos sql wallet` turns up `sql-auth-source-search-wallet`: ***Read auth source WALLET to locate the USER secret.***,`sql-password-search-wallet-function`: ***Function to handle the lookup of the database password.***,`sql-password-wallet`: ***User option: Identification of the password wallet.***. –  Sep 25 '22 at 05:36
  • What I meant was ... there must be a way to avoid `pintentry` and manual inputting of passwords if you use `sql` library together with the it's support for `authinfo` databases. –  Sep 25 '22 at 05:48

0 Answers0