How to force GPG to use console-mode pinentry to prompt for passwords?
105,348
Solution 1
To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-tty
(In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)
Tell the GPG agent to reload configuration:
gpg-connect-agent reloadagent /bye
Solution 2
On a debian box:
sudo apt install pinentry-tty
sudo update-alternatives --config pinentry
(and set it to pinentry-tty)
Solution 3
On Ubuntu 18.04, with the default installation of gpg 2.2.4, I have
/usr/bin/pinentry
/usr/bin/pinentry-gnome3
/usr/bin/pinentry-gtk-2
/usr/bin/pinentry-x11
I was able to do the following to have a text-based PIN entry:
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
Solution 4
I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:
gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
I then found this which worked for me, so in brief:
pico ~/.gnupg/gpg-agent.conf
# add: allow-loopback-pinentry
gpg-connect-agent reloadagent /bye
gpg2 --pinentry-mode loopback --import private.key
Solution 5
I'll copy my answer from over here...
Looking at man pinentry-gnome3, I see this:
pinentry-gnome3 implements a PIN entry dialog based on GNOME 3, which
aims to follow the GNOME Human Interface Guidelines as closely as pos‐
sible. If the X Window System is not active then an alternative text-
mode dialog will be used. There are other flavors that implement PIN
entry dialogs using other tool kits.
Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:
> sudo update-alternatives --config pinentry
There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-gnome3 90 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
2 /usr/bin/pinentry-gnome3 90 manual mode
3 /usr/bin/pinentry-gtk-2 85 manual mode
Press <enter> to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode
Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.
Related videos on Youtube
04 : 36
4. Control Access to Command Prompt using GPO
18 : 07
Using GPG to encrypt and decrypt a file
05 : 26
Unix & Linux: How to force GPG to use console-mode pinentry to prompt for passwords?
22 : 34
Creating and Managing a GPG Key Pair
07 : 58
How to use gpupdate command to force a group policy update on local or remote computers.
Comments
-
ccpizza over 1 year
Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.
I tried
unset DISPLAYbut it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.
There is the
--textmodecommand line switch but apparently, it does something else.What would be the proper and clean way of getting plain-text pin entry for remote sessions?
-
Admin almost 6 yearsDISPLAY="" gpg2 ...helped me, I also installed pinentry-curses + pinentry-tty beforehand, not sure if they are strictly necessary
-
-
user1686 over 11 yearsIt's not completely "sane". Normally,
gpg-agentshould itself detect the presence or lack of$DISPLAYand choose the apropriate pinentry... -
ccpizza over 11 yearsThe agent is most likely capable of detecting the presence of a running xorg. But having a
DISPLAYdefined does not necessarily mean I can or want to use it, for example, when connected over SSH. -
ccpizza over 11 yearsYou are right - I had X11 forwarding enabled. Never thought of the implications, though. Thanks again.
-
lfxgroove about 9 yearsFor anyone trying this via SSH where you've su/sudoed to the user: That doesn't seem to work at all. If you SSH to the computer as the user though (eg.
ssh [email protected]instead ofsu - the_user) the correct pinentry program shows up without trouble. Hope that helps. -
Asfand Qazi over 8 yearsKubuntu 14.04 here. I had to first install pinentry-curses (it is a separate package apparently), then set
DISPLAY=''before this would work. -
MichaelKleine over 8 years@lfxgroove: the problem is that
sudoes not change the ownership of your TTY, so you need to manuallychownit. See this article. -
Ramhound over 8 yearsWhich X11 features specifically should be disabled? I personally know the answer to my question, the author does not, so the answer seems incomplete without this information.
-
PvdL over 8 yearsssh'ing to local host was enough for me, but optionally
-x Disables X11 forwarding.should prevent any X11 forwarding. Answer is updated. -
user3619803 almost 8 yearsI prefer this solution, given that pinentry over -X doesn't show up – I'm normally physically at my laptop, where I want X pinentry (so I don't want to edit a conf file all the time), but if I happen to ssh -X into it I might still want a curses pinentry. Of course, ideally, the gtk pinentry would actually work over ssh -X :-/
-
Starx over 7 yearsWhat to do if there is no
~/.gnupg/gpg-agent.conf? -
user1686 over 7 years@Starx: You create one.
-
Starx over 7 years@grawity, haha thanks. I tried that already. And I noticed that it does ask a passphrase in a CLI application but not the TTY itself. Is there a way to set
pinentry-programto use TTY? -
user1686 over 7 yearsUse the (recent)
pinentry-tty. -
Jeffrey Lebowski over 7 yearsAnother tip: to view all the available options, type
ls /usr/bin | grep pinentry. I seepinentry,pinentry-curses,pinentry-emacs,pinentry-gnome3,pinentry-gtk2,pinentry-qtandpinentry-tty. This way you can choose the one that suits you better, if you don't have the lack of$DISPLAYissue. -
Avindra Goolcharan almost 7 yearsFor those of you who might be getting errrors, make sure to use the absolute path to the pinentry program. (i.e., include
/usr/bin) It won't work otherwise. -
Craig Hicks about 6 yearsIn Ubuntu 16.04, pinentry-tty was available as a package ready to be installed. -
irbanana almost 6 yearsHaving done this, I was still getting an error:
gpg: signing failed: Invalid IPC response. Appendingpinentry-mode loopbackto thegpg-agent.conffile fixed it. -
Scott - Слава Україні almost 5 yearsAccording to Roc White’s answer,export GPG_TTY=$(tty)is sufficient. Have you tried that? Do you have a reference that says thatunset DISPLAYis also necessary? P.S. People don’t like to put passphrases on the command line. -
jaryaman over 4 yearsI had to add
export GPG_TTY=$(tty)to my~/.bashrcto get this to work -
Edward over 4 yearsHas anyone managed to get this working on Amazon Linux AMI 2018.03 release? pinentry-tty is not available and adding pinentry-curses to gpg-agent.conf has no effect.
-
SlySven almost 4 years-1 Putting a password or passphrase as an argument to a command is never a good idea as it can be easily seen by other processes that monitor system activity and will likely get recorded into your command history where it will remain for some time.. -
Olivier about 3 yearsThanks! It works also with pinentry-curses which was installed already.
-
AntumDeluge almost 3 yearsThis worked for me on Android using Termux.
-
Mark Veltzer almost 3 yearsOn my box gnupg agent does not restart with the command above. You need to issure
gpgconf --kill gpg-agent -
Laurence Gonsalves over 2 yearsThis is the right answer. The text fallback in pinentry-gnome3 is completely broken, because it'll open up on X11 if there's an X11 session running on the machine even when $DISPLAY is unset. pinentry-gtk2 behaves correctly: it falls back to pinentry-tty if $DISPLAY is unset. -
Justin over 2 yearsFor Solaris refugees:
pinentry-program /usr/lib/pinentry-curses. I know this is tagged linux, but I could find virtually nothing Solaris specific, and this issue otherwise matches strongly. -
Terry Brown over 2 yearsFor me, pinentry-tty didn't work but pinentry-curses did, just replace tty with curses in both the steps above.
-
reikred over 2 yearsFor me export GPG_TTY=$(tty) only was not enough. System used gpg-agent and popped up a GUI window (pinentry-gtk-2 in my case).
-
whhone about 2 yearsThat is the right solution and also the official one from
man gpg-agent, ``` You should always add the following lines to your .bashrc or whatever initialization file is used for all shell invocations: GPG_TTY=$(tty) export GPG_TTY It is important that this environment variable always reflects the output of the tty command. ```
