7

I'm using my laptop's fingerprint reader to unlock computer and for sudo.

I also use a GPG key with password to sign my git commits.

Is there a way to have the GPG key be unlocked with fingerprint?

Relevant System information:

  • Operating System: Fedora Linux 35
  • KDE Plasma Version: 5.23.4
  • KDE Frameworks Version: 5.89.0
  • Hardware: Frame.work laptop (batch 5)
Alireza
  • 241
  • 1
  • 8
  • There is a [PAM module for unlocking GPG on github](https://github.com/cruegge/pam-gnupg). At the same time, you can [setup your fingerprint reader with PAM](https://www.makeuseof.com/set-up-fingerprint-scanner-with-pam-on-linux/) so, someone more expert than me should be able to combine the two without too much difficulty. Anyone wanting to elaborate on this is welcome. – 1NN Aug 04 '23 at 10:55
  • So if I were to tie these two things together (Fingerprint reader with PAM and PAM for GPG) would I have have GPG unlocked all the time after I've logged in, or would I be prompted for the fingerprint every time I request to load the private key? I would prefer the latter. – aioobe Aug 04 '23 at 20:25
  • @Alireza ... You might find these resources useful or informative: https://gpgtools.tenderapp.com/discussions/feedback/15650-pinentry-mac-use-apple-watch-touchid-to-unlock-gpg-key and https://github.com/jorgelbg/pinentry-touchid – Vomit IT - Chunky Mess Style Aug 05 '23 at 14:23
  • Take a look at [gnome keyring](https://wiki.archlinux.org/title/GNOME/Keyring) which should allow GPG to remain unlocked throughout one session (you'll still need your password on first logon). Exists for Ubuntu, too, but less well documented. I don't have any way to test it out, though. – 1NN Aug 10 '23 at 16:37

2 Answers2

2

Although passwords can be used for both authentication and encryption, that does not hold true for all methods of authentication.

Decryption is reversing a transformation done based on some (secret) data, and the only way to do that is with the exact same data. Authentication, on the other hand, is verifying that the supplied piece of data (password / fingerprint / etc.) matches the one registered.

It can be determined that an image of a fingerprint is of the same finger as the one used to enroll, but the images won't be exactly the same. So if you would encrypt your GPG key with the data from a fingerprint image, you wouldn't be able to decrypt it using another image, even if we know it is of the same finger.

user1655754
  • 158
  • 9
  • So the question does not fully make sense? The passphrase is needed for decryption and can't simply be replaced with something that solves authentication? (Without tying it closely to keychains unlocked upon login.) – aioobe Aug 10 '23 at 08:18
  • I think that if I were to dream up a solution, I think it would be something like having the gpg-key (or gpg-key passphrase) stored in the system keychain, which could be unlocked through PAM (where fingerprints are easy to configure) but with the custom feature that this particular key requires re-authentication to be accessed every minute or so (not unlock once upon login, and then available without password until logout). – aioobe Aug 10 '23 at 13:06
  • Found this: https://unix.stackexchange.com/questions/614737/how-to-cache-gpg-key-passphrase-with-gpg-agent-and-keychain-on-debian-10 which might be relevant. – aioobe Aug 10 '23 at 13:10
  • 1
    See, the keychain itself needs to be decrypted, which cannot be done with a fingerprint. Sure, I suppose you can store the passphrase in plaintext, but then why bother have the gpg key password-protected at all, when the password is just as accessible as the key itself? I also found [this](https://bugs.launchpad.net/gnome-keyring/+bug/276384), which will probably be of interest to you – user1655754 Aug 10 '23 at 14:35
  • _"Sure, I suppose you can store the passphrase in plaintext, but then why bother have the gpg key password-protected at all"_ - Well, for the same reason you'd put _anything_ in the keychain / agent? To have something stored secretly/encrypted on disk, but for periods of time loaded in plaintext in memory. – aioobe Aug 10 '23 at 17:01
  • Encrypted with what, though? Usually, your password is your encryption key. The point here is that a keychain has the same problem as the gpg key, namely it needs an encryption key to work. – user1655754 Aug 10 '23 at 17:29
  • Ok. Thanks for the clarification. I understand your point now. Makes sense. – aioobe Aug 10 '23 at 17:45
1

While I can't provide suggestions for specific software, since I don't know it. By thinking about it for a couple of minutes, I could think of two (2) ways of how this could work:

  1. Your GPG key is encrypted using a TPM and you use your fingerprint for authentication, through appropriate software, to somehow "ask" the TPM to decrypt the key.

  2. Use the password to decrypt the key the first time it is decrypted and then it remains in protected memory controlled by an Agent/software. The Agent/software verifies your fingerprint for subsequent authorizations for the key to be used.

ARGYROU MINAS
  • 223
  • 1
  • 10
  • This is precisely what my research tells me as well. As for approach 1, this is a good starting point: [Using a TPM with GnuPG 2.3](https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html) and approach 2 seem to be described [here](https://unix.stackexchange.com/questions/614737/how-to-cache-gpg-key-passphrase-with-gpg-agent-and-keychain-on-debian-10). – aioobe Aug 10 '23 at 22:17
  • I'd be interested to know if there are TPMs out there that can use a fingerprint for verification. Is your suggestion theoretical or do you actually know of such a device? – user1655754 Aug 10 '23 at 23:31
  • @user1655754 All TPMs are able to do it (at least TPMs 2.0). You just need to find the appropriate software. I am not aware if such software exists or of any project names. But, it can certainly be done. – ARGYROU MINAS Aug 11 '23 at 00:40