Making KeePassX work with Pinentry and Enigmail 3
KeePassX is my password manager of choice.
Enigmail is the GnuPG signature and encryption add-on for Thunderbird.
Pinentry is used by Enigmail to enable secure entry of PINs, passwords and pass phrases. It blocks copy/paste and forces all keyboard entry into the pinentry textfield. That’s great if you have trivial or easily typed pass phrases. I do not.
These are all fantastic, until you depend on KeePassX to hold non-trivial pass phrases to gain access to your certificates. Since pinentry doesn’t allow copy/paste, there is a major issue. If your passphrase is non-trivial and long, then manually entering them whenever you need to read or send a sensitive email is beyond a hassle. It sucks. pinentry also grabs both the keyboard and copy/paste events, so you are probably unable to alt-tab to the window you really need. Anything typed on the system gets placed into the pinentry text field. How rude.
Workaround
There is a workaround – it is a hassle, but better than trying to type 50 characters of assorted keys.
Use the Perform Autotype option by mousing for your specific KeePassX entry. Doing this means that the Userid needs to be empty and you need to already have KeePassX unlocked before you begin any encryption work. Using the mouse to cause the paste/autotype works.
You’ll probably want to setup gpg-agent to hold your keys for a while too. Anything to avoid going through this crap to retype pass phrases for certificate access.
I’m running Enigmail v1.1.2, Pinentry-gtk2 v0.7.6 and Thunderbird v3.1.8.
Trackbacks
Use the following link to trackback from your own site:
https://blog.jdpfu.com/trackbacks?article_id=1036
I can confirm the same (stupid, if i may say — why block pasting again?) behaviour on Windows, using Thunderbird 5, Enigmail 1.2 and Keepass 1.15
I initially thought having randomly, long, generated passwords was a good, secure idea … ;)
Why Block Copy/Paste via Keyboard? Javascript can access these buffers, hence a bad person controlling a script could grab whatever is in the buffer and transmit it to any website they choose.
Using the mouse to select Perform Autotype gets around the keyboard issue.
For anybody using KeyPass 1.x on Windows, there is a trick to getting focus to the pinentry when using the KeyPass autotype.
I got it to work by editing the “Notes” section of the GPG passhprase entry to have the following (You can use Tools button to set these)
Auto-Type: {PASSWORD}
Auto-Type-Window: pinentry
In the pinentry window for Enigmail (while it has focus), use ctrl-alt-a to cause keypass to do the auto entry. This will get the passphrase to pinentry every time. It’s possible you don’t even need the Notes section for the ctrl-alt-a to trigger the KeyPass autotype, but since I had it there, I didn’t bother removing it to see what happens.