Locking doesn't have any effect on password manager

[aardbol]

Trying to retrieve a password prompts for the user PIN. Entering the right one opens the password vault. But triggering nitrocli lock after that doesn't lock the password vault.

Device: Nitrokey Pro 2

[d-e-s-o]

What exactly do you mean by password vault? Is that an OS construct? Or are you referring to Nitrokey's password safe? Can you please provide steps to reproduce if it's the latter?

[robinkrahl]

Thanks for the report! I think that the PWS is locked correctly. It just seems to be unlocked because pinentry caches the user PIN. (Actually, nitrocli always unlocks the PWS before accessing it, even if it is currently unlocked.) To see every PIN query, clear the pinentry cache with `nitrocli pin clear` and then disable the cache by setting the NITROCLI_NO_CACHE environment variable. You should see that nitrocli queries the PIN on every PWS access. If you want to verify that the PWS is locked, try to access it with another application that does not unlock the PWS (maybe Nitrokey App?). Or you can write a simple program with libnitrokey that tries to access the PWS without unlocking it. To see what commands are executed by nitrocli, add the -vvv option. You should see that `nitrocli lock` executes the LOCK_DEVICE command, and that the PWS is unlocked with the PW_SAFE_ENABLE command before every access.

[aardbol]

You are right. It is properly locked after verifying it with your instructions.

For how long is the PIN cache valid? Is there any way to manipulate the lifetime of the cache instead of disabling it?

Aside from that, it would also be useful to be able to set the PIN from stdin

[robinkrahl]

For how long is the PIN cache valid? Is there any way to manipulate the lifetime of the cache instead of disabling it?

This depends on your gpg-agent configuration, see the --default-cache-ttl and --max-cache-ttl options [0]. The defaults are a TTL of ten minutes for cached values, renewed on every access, with a maximum of two hours. [0] https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html

[d-e-s-o]

Just to add to what Robin said, you can also set these configurations through the gpg-agent(1) configuration file (e.g., in ~/.gnupg/gpg-agent.conf):

# invalidate entries after 30s
default-cache-ttl 30
max-cache-ttl 30

[d-e-s-o]

I take it that everything got clarified here and we can close the issue. Feel free to reopen or follow up if something is still unclear or broken.