Update (Jun. 10, 2020): I added a brief post about how to use pass
with ProtonMail Bridge for headless servers in a new post here.
Update (Jan. 8, 2020): I recently found the GUI-based gnome-keyring
can be replaced with a CLI-based password manager — pass
. I now use pass
instead of gnome-keyring
. I haven’t had time to update this post, so you’ll have to do the research if you want to discard . A good place to start is the Arch Wiki page of gnome-keyring
pass
.
Update (Aug. 7, 2019): The version of Bridge used in the original post was 1.0.6. I recently upgraded Bridge to 1.1.6 and found the name of Bridge’s executable is not Desktop-Bridge
anymore. Now it’s called protonmail-bridge
.
ProtonMai Bridge is the utility for ProtonMail users to access IMAP/SMTP servers from local machines. With ProtonMail Bridge, users can use whatever offline email client (Outlook, Thunderbird, etc.) they like.
The reason ProtonMail users require this extra utility is that, for outbound emails, ProtonMail encrypts users’ email content before handing over the email to the sending server. And for inbound emails, ProtonMail decrypts the email contents for users after downloading the emails, and so when users open the incoming emails, the contents are readable. While using ProtonMail’s online interface, everything is done behind the scene. Users just write/read emails as they do on Gmail, etc. But if users want to use offline email clients on their local machines, then those clients lack the functionality of encrypting/decrypting the emails before/after doing communications with ProtonMail’s servers (see note 1). That’s why ProtonMail provides a utility called Bridge.
In a nutshell, ProtonMail Bridge creates fake IMAP/SMTP servers on the local machine. And users use these fake local servers for the IMAP/SMTP settings in their offline email clients. When offline clients try to do communications with email servers, they are in fact communicating with the fake local servers. And next, the local servers do the encryption/decryption tasks and then talk to the real ProtonMail servers.
For more details, please read the introductions at ProtonMai Bridge. This post does not intend to deal with the usage of Bridge. Instead, this post tries to deal with an issue that occurs when using Bridge in headless (i.e., not connected to any physical monitors) Linux environments.
Note 1: In fact, many offline email clients can handle PGP-encrypted emails. But when using ProtonMail, in my guess, ProtonMail servers do not allow client-side encryption and decryption. So they provide Bridge. But it’s just my guess. I’m also new to ProtonMail.
Problem description
A dependency of Bridge is gnome-keyring
(note: see the update above). My guess is that Bridge relies on gnome-keyring
to store data and information on PGP keys. But the problem is that gnome-keyring
is not designed for headless environments. So when you try to launch non-graphical Bridge with $ Desktop-Bridge --cli
(note: see the update above), you may encounter problems when you log in with your ProtonMail account in Bridge.
Solution
gnome-keyring
relies on a graphical pop-up dialog to ask users for passwords. So what we have to do is proactively providing our password when we start the keyring service in the background, instead of passively waiting for it to ask.
Use the following command to achieve this:
$ echo -n [password] | gnome-keyring-daemon --login
[password]
is your password to log in to the Linux machine. Even if you use password-less login (e.g., using SSH keys), you should have a password for your username. Note, [password]
should be a string. That is, your password should be inside a pair of quotation marks.
15 Comments