Hi,
I am using pass and the pass-secret-service and I am trying to do auto-decrypt the password store on login. I am also using ly as my display manager and hyprland as my de. I can see on the wiki there is an auto-decrypt for kwallet and gnome-keyring but I can’t see anything for pass. Can anyone give me some direction on this?
While waiting for a solution, it’s worthwhile to consider the security implications of binding your GPG unlock directly to your login session
After all, if your password manager is permanently unlocked as long as you’ve logged into your computer, you must always lock it before leaving it unattended. If it’s a laptop, someone could grab it from you and use your entire keychain of credentials (banking? healthcare? github? etc) against you without anything to stop them.
An option that may be better is to have a hardware key with a pin, that would likely increase your overall security and make it so you’d only have to type a shorter, easier password to unlock your keychain.
But typically, the use case is that gpg-agent decrypts on demand, and then drops the key after some certain TTL, which is generally speaking the best practice. You’ll also see if you e.g. try to generate a gpg key without a password, or try to remove one, that it will warn you that it’s a bad idea.
That’s a fair point. Although my use case it pretty simple, I’m using it just for apps to authenticate and not for my passwords (I have vaultwarden for that). This is just for stuff like nextcloud-client which asks for my login everytime I turn on my pc. I tested it and it logged in automatically on boot when the password store was initialized with a non password protected gpg key.
The hardware key is a neat idea though, I do have a yubikey but I haven’t done a proper deep dive with the extra stuff of yubikey outside of the web passkey stuff