[Question] Should I not enter my pin via my pinentry-progam rather than my trezor?

[doolio]

So I may be a unique case amongst your users. I'm using my trezor (model T) along with pass to manage my passwords. I also use Emacs to interact with my password-store. There is an Emacs major mode and other packages that facilitate this. As the trezor-agent documentation suggests I configure run-agent.sh to use pinentry-emacs as my pinentry-program as follows:

--pin-entry-binary=pinentry-emacs
--passphrase-entry-binary=pinentry-emacs

which brings up the question whether a gpg-agent.conf where pinentry-program would normally be defined applies to trezor-gpg-agent?

This resolves this NicolasPetton/pass#41 issue I was experiencing.

However, I still enter my PIN on the trezor itself. Is that expected if using a pinentry-program?

That same issue describes the number of times I'm prompted by my trezor to decrypt the specific GPG password files. Is it normal to be prompted more than once when accessing a GPG file. Thanks for your time.

[romanz]

Thanks for reporting this issue!
I am actually also using pass with Trezor :)

Since Trezor model T supports on-device PIN entry, you shouldn't get notified to entry the PIN on your host machine.
However, you will get on-device notification each time your decrypt a password - since Trezor needs to use the private GPG key to derive the (different) decryption key for each password stored.

[doolio]

Sorry for the late response.

you will get on-device notification each time your decrypt a password - since Trezor needs to use the private GPG key to derive the (different) decryption key for each password stored.

That's understood. However, I get on-device prompting more than once but this due my (mis-?) use of Emacs for which I'm still searching for a solution.

the question whether a gpg-agent.conf where pinentry-program would normally be defined applies to trezor-gpg-agent?

I presume gpg-agent.conf is not applicable to the trezor-gpg-agent. Can you confirm?

Thanks for your time.

[Dehumanizer77]

Since Trezor model T supports on-device PIN entry, you shouldn't get notified to entry the PIN on your host machine.

In Trezor suite, you also have an option of entering password either on the device or on the machine...

[doolio]

In Trezor suite, you also have an option of entering password either on the device or on the machine

Do you? I can't seem to find such an option.

[Dehumanizer77]

Of course you do...
https://trezor.io/content/wysiwyg/Images_sorted/PUBLIC_ALL_Security_and_Privacy/Security_best_practices/Passphrase/Empower%20update/Passphrase%20and%20hidden%20wallets%201.png

[doolio]

You see this when you want to create a new wallet? I have the option to create a hidden wallet and if I do I presume I'll be presented with this GUI?

[Dehumanizer77]

This is a default screen when connecting a Trezor if you have a passphrase enabled.
There is no "creation" of hidden wallet, passphrase is simply said another seed word added to your seed, so every passphrase you enter is essentially a different wallet.