Using gpg from a console-based environment such as ssh sessions fails because the GTK pinentry dialog cannot be shown in a SSH session.
I tried unset DISPLAY but it did not help. The GPG command line options do not include a switch for forcing the pinentry to console-mode.
Older GPG versions offered a text-based prompt that worked fine in SSH sessions but after the upgrade it just fails.
There is the --textmode command line switch but apparently, it does something else.
What would be the proper and clean way of getting plain-text pin entry for remote sessions?
111 Answers
To change the pinentry permanently, append the following to your ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-tty (In older versions which lack pinentry-tty, use pinentry-curses for a 'full-terminal' dialog window.)
Tell the GPG agent to reload configuration:
gpg-connect-agent reloadagent /bye 18On a debian box:
sudo apt install pinentry-tty sudo update-alternatives --config pinentry (and set it to pinentry-tty)
2On Ubuntu 18.04, with the default installation of gpg 2.2.4, I have
/usr/bin/pinentry /usr/bin/pinentry-gnome3 /usr/bin/pinentry-gtk-2 /usr/bin/pinentry-x11 I was able to do the following to have a text-based PIN entry:
export GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye >/dev/null 1I just had this problem on Ubuntu 16.04.3 when trying to generate/install a private key using gpg2 (2.1.11) on a system account without a password, and on a user account over ssh. Nothing worked giving:
gpg: key FE17AE6D/FE17AE6D: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
I then found this which worked for me, so in brief:
pico ~/.gnupg/gpg-agent.conf # add: allow-loopback-pinentry gpg-connect-agent reloadagent /bye gpg2 --pinentry-mode loopback --import private.key 1I'll copy my answer from over here...
Looking at man pinentry-gnome3, I see this:
pinentry-gnome3 implements a PIN entry dialog based on GNOME 3, which aims to follow the GNOME Human Interface Guidelines as closely as pos‐ sible. If the X Window System is not active then an alternative text- mode dialog will be used. There are other flavors that implement PIN entry dialogs using other tool kits. Unfortunately, this text-mode fallback doesn't work for me. It seems others have the same issue. However, this comment spurred my to try a different GUI pin-entry program: pinentry-gtk2. You can switch like this:
> sudo update-alternatives --config pinentry There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry). Selection Path Priority Status ------------------------------------------------------------ * 0 /usr/bin/pinentry-gnome3 90 auto mode 1 /usr/bin/pinentry-curses 50 manual mode 2 /usr/bin/pinentry-gnome3 90 manual mode 3 /usr/bin/pinentry-gtk-2 85 manual mode Press <enter> to keep the current choice[*], or type selection number: 3 update-alternatives: using /usr/bin/pinentry-gtk-2 to provide /usr/bin/pinentry (pinentry) in manual mode Once I switched, it worked perfectly for me! In a terminal on the desktop, it will use the GUI password entry, but when I ssh into my machine, it will use a text-mode password entry.
1If you don't have it, install pinentry-curses with yum or apt-get.
Then, run:
sudo update-alternatives --config pinentry
And select pinentry-curses from the list.
To prevent the pinentry popup you could ssh localhost. Optionally forcing X11 disabled, -x Disables X11 forwarding. See the full example below.
patrick@patrick-C504:~$ ssh localhost patrick@localhost's password: Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-68-generic x86_64) * Documentation: Last login: Mon Nov 16 22:48:53 2015 from localhost patrick@patrick-C504:~$ gpg --gen-key gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <>" Real name: Foo Name must be at least 5 characters long Real name: FooBar Email address: Comment: You selected this USER-ID: "FooBar <>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. gpg: gpg-agent is not available in this session Enter passphrase: 3If you do export GPG_TTY=$(tty) and unset DISPLAY it will give a TLI dialog box asking for the passphrase. Typing in the correct passphrase makes it decrypt.
If you do NOT do the above export of GPG_TTY and unset of DISPLAY it expects to use X Windows. If you launched your session (such as PuTTY) from an MS-Windows system with X11 forwarding turned on it wants to send the X-Window dialog to your MS Windows system. You can use an X emulator such as Exceed or Cygwin/X on Windows to allow the X-Window prompt for passphrase to appear on your MS-Windows box.
However, you can eliminate the need to set GPG_TTY and unset DISPLAY and getting either the TLI or GUI by running the command line with --batch option and putting the passphrase in with the --passphrase option:
gpg --batch --passphrase "<passphrase>" -o "<decrypted output file name>" --decrypt "<encrypted input file name>" All 3 methods worked for me today on RHEL6 running gnupg2.
3Not sure which version of GPG this question was originally about. I am using GPG v2.2.19 in (K)ubuntu 20.04 LTS Focal. All I had to add was just --pinentry-mode loopback and it started to ask for a password in TTY. I didn't have to install anything. For example:
gpg --pinentry-mode loopback --export-secret-keys -a | less I found the "full example" in PvdL's answer a bit confusing, here's what I do:
ssh -X machine # work hack hack work until I need something from gpg ssh -x localhost -p$port gpg2 --decrypt file.gpg # enter password to pinentry exit # now the key is unlocked in gpg-agent, and I can keep decrypting files # from my X ssh session without being asked for the password in CentOS 8 you can try :
yum -y install pinentry