-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Locking doesn't have any effect on password manager #134
Comments
What exactly do you mean by password vault? Is that an OS construct? Or are you referring to Nitrokey's password safe? Can you please provide steps to reproduce if it's the latter? |
Thanks for the report!
I think that the PWS is locked correctly. It just seems to be unlocked
because pinentry caches the user PIN. (Actually, nitrocli always
unlocks the PWS before accessing it, even if it is currently unlocked.)
To see every PIN query, clear the pinentry cache with `nitrocli pin
clear` and then disable the cache by setting the NITROCLI_NO_CACHE
environment variable. You should see that nitrocli queries the PIN on
every PWS access.
If you want to verify that the PWS is locked, try to access it with
another application that does not unlock the PWS (maybe Nitrokey App?).
Or you can write a simple program with libnitrokey that tries to access
the PWS without unlocking it.
To see what commands are executed by nitrocli, add the -vvv option. You
should see that `nitrocli lock` executes the LOCK_DEVICE command, and
that the PWS is unlocked with the PW_SAFE_ENABLE command before every
access.
|
You are right. It is properly locked after verifying it with your instructions. For how long is the PIN cache valid? Is there any way to manipulate the lifetime of the cache instead of disabling it? Aside from that, it would also be useful to be able to set the PIN from stdin |
For how long is the PIN cache valid? Is there any way to manipulate
the lifetime of the cache instead of disabling it?
This depends on your gpg-agent configuration, see the
--default-cache-ttl and --max-cache-ttl options [0]. The defaults are a
TTL of ten minutes for cached values, renewed on every access, with a
maximum of two hours.
[0] https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
|
Just to add to what Robin said, you can also set these configurations through the
|
I take it that everything got clarified here and we can close the issue. Feel free to reopen or follow up if something is still unclear or broken. |
Trying to retrieve a password prompts for the user PIN. Entering the right one opens the password vault. But triggering
nitrocli lock
after that doesn't lock the password vault.Device: Nitrokey Pro 2
The text was updated successfully, but these errors were encountered: