As asked at https://wald.intevation.org/forum/message.php?msg_id=5748 I start a new thread but this is practically quite similar issue.
In GNU/Linux there is e.g. Seahorse, more or less alternatives can be found at https://alternativeto.net/software/seahorse/
In macOS there is Keychain Access, more or less alternatives can be found at https://alternativeto.net/software/keychain-access/
What is appropriate alternative for MS Windows?
Under appropriate I mean:
- also apps and not only web browsers like it used to under MS Windows
- automatic fulfill without user intervention like is possible in case of Seahorse or Keychain Access
If to store vault without password in Seahorse, Keychain Access then it works seamlessly. Let’s say we use disk encryption that will be unlocked when logging into OS.
Program called Kleopatra in MS Windows is NOT the solution - just tested. Kleopatra can be loaded as a daemon with parameter --daemon but that’s all - it does not provide passwords after cache timeout as arrived or over reboots.
Haven’t seen any other solution for MS Windows similar to macOS Keychain or GNU/Linux Seahorse but this is what I ask whether anybody knows. This means WITHOUT human intervention seamlessly provide GPG key password over reboots (among any other app password that might be needed). In browser there in MS Windows is possible to establish such seamless situation but not in apps like in macOS or GNU/Linux as far as I have found for now.
thanks for opening a new issue!
It is a general question for windows and while it touches encryption and security
just like Gpg4win, it is not a general Gpg4win problem.
Note that in the other thread it was about how to cache a passphrase for a
secret key (used for OpenPG or CMS) forever and the solution is to not use a passphrase
on the key because if the computer shall be able to use the key automatically without human
interaction then there is no need for a passphrase as it does not add to the security of the setup.
Also note that Kleopatra is mainly the expert interface to the GnuPG crypto functionalities, it is not a general password storage.
(BTW: As for Seahore, there were some versions that had problems when seahores was posing as gpg-agent, see https://wiki.gnupg.org/PlatformNotes?highlight=(Seahorse) . )
Guess on the overal windows question, it would take some research if the functionality of filling in passwords in all applications actually is a good idea within the security concept of windows. Some UAC dialogs cannot be accessed from general applications, which is on purpose and making some attacks much harders.
I know that this sounds insecure but same behaviour is under other operating systems possible and not in MS Windows? At least this should be possible that user can choose from some kind of app that key password. It is also known practice to have secure (lengthy and a bit complex) passwords. There must be some kind of compromise between these two situations.
I know that Kleopatra is not for that but it still has quite similar setting for that purpose.
That Seahorse issue seems to be at 2015. I constantly update and upgrade when newer releases come out and currently using already GnuPG 2.2.x.
It is very easy to distance yourself from this issue not to deal with it but this does not help me or anyone else and actually it concerns very much also with Gpg4win as its usage will be then abandoned if it is so uncomfortable as we must also have complex passwords and you need to type them all the time - there must be a better way to ensure security. Then people say that go away with your badly designed solution - this does not help us either. This means that if operating system is missing something important then good app should have it - that is what I would propose to have if there is no other and better way.
Why I am getting so often error (Exiting with error: You Attempted To Double-submit this item. Please avoid double-clicking.) when trying to reply here in forum (pressing once the Post Comment button)? Very annoying!
the question is: What can be implemented and how on Windows?
For the application you are proposing, I don’t know.
It may be that it is impossible or really hard.
If this is the case, we have to approach Microsoft.
As for seahorse 2015, this is an example that implementing parts of gpg-agent can be a problem. So there is some complexity. Overall I’m all for making things better for users
which means a better user experience with good security properties.
However this can be a lot of work.
ps.: In some circumstances the session is timed out. (We’ve reported this to the software makers.) The workaround until we have a fix is to logout and log-in again. Sorry for this.
That’s true - people have to suffer when they stick to MS Windows. On that particular computer I am switching to Linux and accommodating one Windows-only program into virtual machine. This is my workaround for that problem I described initially in the beginning of current thread. Not a bad solution after all…