I'm using OfflineIMAP since a few years, but it's been since a month or so that I have make it to read passwords from a ciphered file instead of doing so straight from the config file.

The password file is ciphered with GPG and I have an SmartCard with subkeys so I don't have my private key in my laptop.

The problem comes when I want to check my mail from a cronjob, so I don't have to call OfflineIMAP manually. The first part of the solution is to use gpg-agent. But it's not enough, since cron doesn't honours the user's environment variables.

Luckily, gpg-agent has an option to write it's socket information to a file, so sourcing it, we can set the GPG_AGENT_INFO environment variable when running the cronjob and let OfflineIMAP read the ciphered file without need of entering the key passphrase everytime (what, btw, is impossible as no prompt is shown when running it from the cronjob).

So, the soultion is easy as follows:

  1. Let gpg-agent write it's socket information to a file. To do so, add the --write-env-file $file to the gpg-agent call. In my case, it's at /etc/profile.d/gpg-agent.sh:
if test -f "$envfile" && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
    eval "$(cat "$envfile")"
    eval "$(gpg-agent --daemon --write-env-file "$envfile")"
export GPG_AGENT_INFO  # the env file does not contain the export statement

  1. Update the cronjob's entries to source the envfile:
*/5 * * * * source /home/marcos/.gnupg/gpg-agent.env && export GPG_AGENT_INFO && /usr/bin/offlineimap

And that's all, now I can check my email using a cronjob without the need of typing my passphrase everytime.

The only drawback of this is that you should type your PIN at least once before the cronjob gets called, since no cache of it would have been done previously.

Tagged as cron, gpg-agent, mailcheck

If you liked this post, you can donate using Bitcoin 12jVrWkk5S6x5hEizThZwgTx59KxaDdK4C