How to make gpg prompt for passphrase on CLI

Asked 21/7, 2013 at 6:53 Answered 19/11, 2023 at 16:40

The encryption tool of gnuPG package gpg prompts for passphrase using a GUI dialog box when invoked by a regular user, however when invoked by root it prompts on CLI. How to make it use the CLI even when invoked by a regular user. version:GnuPG 1.4.12

Ocana answered 21/7, 2013 at 6:53 Comment(0)

On a debian box:

sudo apt install pinentry-tty
sudo update-alternatives --config pinentry

(and set it to pinentry-tty)

Dentalium answered 5/12, 2018 at 21:32 Comment(4)

After much searching, this is the only solution that worked for me. Thanks! – Oddfellow 26/6, 2019 at 22:45

I think this is the best method, but the answer could be improved with a little explanation – Laminated 12/3, 2020 at 9:52

This will change pinentry mode system-wide for all accounts on your device which might not be desirable. Providing pinentry option to gpg-agent or to single invocation of gpg does not impact the whole system – Anneliese 13/2, 2021 at 18:51

A simpler one, in the second line: sudo update-alternatives --set pinentry /usr/bin/pinentry-tty – Debora 21/9, 2021 at 15:40

This kind of password prompt is not done by gpg itself, but by the gpg-agent.

You can configure your gpg-agent which pinentry program should be used. There are options both when starting the agent and in the gpg-agent config file -- please have a glance at the man page.

So I see two options:

Configure your gpg-agent to use the desired method
Disable the gpg-agent; you can do that for a single gpg invocation by unsetting the environment variable GPG_AGENT_INFO like GPG_AGENT_INFO="" gpg .... gpg used to have a --no-use-agent option, but this has been marked deprecated and has no functionality in recent gpg version.

Nudibranch answered 22/7, 2013 at 7:17 Comment(5)

I created ~/.gnupg/gpg-agent.conf and wrote pinentry-program /usr/bin/pinentry-curses in it. Didn't work for me ! Using gpg --no-use-agent did the trick. – Ocana 22/7, 2013 at 11:53

@MayankPundir this option is obsolete for some time now; I updated my answer accordingly. – Nudibranch 12/8, 2013 at 10:22

GPG_AGENT_INFO="" gpg ... worked for me, the --no-use-agent did not. Ubuntu 14.04 – Dickens 25/2, 2015 at 6:39

Use of GPG_AGENT_INFO is not working as of 2.1, since it has been obsoleted. – Vaunt 8/3, 2017 at 13:32

For MacOS, you can go to 🍎 > System Preferences > GPG Suite, then disable both "Store in macOS keychain" and "Remember for ### seconds" AND "Delete stored OpenPGP passwords." That last part is super important because if your password is already stored in the keychain disabling the other 2 options won't be enough! Hope this helped, it took me a couple months after I updated gpg and I accidentally enabled these options before figuring out how to revert it just now. I'll also add a post below for easy visibility – Encephalo 6/12, 2020 at 11:47

I'm on GPG 2.2.13, and the gpg-agent man page reads:

You should always add the following lines to your .bashrc or whatever initialization file is used for all shell invocations:
GPG_TTY=$(tty)
export GPG_TTY
It is important that this environment variable always reflects the output of the tty command. ...

This doesn't explain the "why" (I also don't understand the "why"), but setting this in my .bashrc worked: it caused my gpg-agent to ask for my passphrase via the pinentry-curses interface. I didn't need to set any other configuration (I don't even have a ~/.gnupg/gpg-agent.conf file).

Edit: it seems that this works whenever no DISPLAY is available, e.g. in an SSH session with no X11 forwarding. But when I'm on the desktop and DISPLAY is set, it still brings up the GUI dialog. unset DISPLAY (BASH) in this case makes it use curses instead of the GUI.

Gert answered 12/3, 2019 at 16:38 Comment(1)

Works like a charm if pinentry is installed. The command could be even shorter: export GPG_TTY=$(tty) ;) – Luminescence 13/9, 2019 at 9:26

In newer versions of gpg, >= 2.x, you can use this

stty -echo; gpg --passphrase-fd 0 --pinentry-mode loopback --decrypt filename; stty echo

The stty makes sure your password is not echoed as you enter it. A tad smoother than fiddling with configs if all you want is a quicky on say a desktop workstation you ssh'd into.

You will need, though, pinentry sudo apt install pinentry-curses or possibly sudo apt install pinentry

It's a far cry from the olden days of gpg 1.x where all you needed was --no-use-agent.

Buccaneer answered 17/3, 2019 at 22:6 Comment(3)

In my case, just specifying --pinentry-mode loopback was enough and no stty was needed. Tested under gpg 2.2.20 on Arch Linux. – Hogweed 21/6, 2020 at 6:36

GPG 2.2.27: pinentry is not required for this recipe – Anneliese 13/2, 2021 at 18:40

@Hogweed stty is not needed, it just makes your password not visible on screen – Anneliese 13/2, 2021 at 18:42

You can set the following environment variable to disable the graphical prompt

export PINENTRY_USER_DATA="USE_CURSES=1"

Goatherd answered 24/11, 2016 at 8:58 Comment(2)

Not working on Debian Stretch either (gnupg 2.1.18). – Vaunt 8/3, 2017 at 13:31

This works on macos – Maestoso 29/7, 2022 at 1:3

If you're on MacOS and using pinentry, you can go to 🍎 > System Preferences > GPG Suite, then disable both

Store in macOS keychain

and

Remember for ### seconds

AND click the Delete stored OpenPGP passwords button.

Deleting OpenPGP passwords part is super important because if your password is already stored in the keychain, disabling the other 2 options won't be enough!

I tried most other things mentioned on this thread, including adding export GPG_TTY=$(tty) to ~/.bash_profile, using gpg --no-use-agent (got the deprecated message, but still didn't work), looking at the ~/.gnupg/gpg-agent.conf and ~/.gnupg/gpg.conf files (neither one really had anything that looked like it would change anything), and nothing really made the CLI pinentry GUI prompt for the password until I did this.

Hope this might help anyone in the future who runs into this problem! It took me a couple months after I updated gpg and accidentally enabled these options before figuring out how to revert them back just now.

To clarify, if you WANT pinentry to prompt you to enter your password anytime you're doing something that you want to verify with your PGP keys, make sure you don't have the options to remember your password enabled AND make sure you delete any PGP passwords you might have stored in macOS keychain.

EDIT: found a similar answer on Ask Different: How to use GUI pinentry program for GPG

Encephalo answered 6/12, 2020 at 12:3 Comment(0)

For me, I did the following and it worked:

Install the pinentry program:

sudo apt-get install pinentry-curses

Since I was using SSH Connection, pinentry-curses is recommended, you can install any other variant,

pinentry-curses: For console or terminal-based environments.
pinentry-gtk-2 or pinentry-gnome3: For GTK-based environments.
pinentry-qt: For Qt-based environments.
pinentry-tty: For basic TTYs.

Configure your gpg-agent.conf

Edit your ~/.gnupg/gpg-agent.conf file, if there isn't one, create it, and then add the following line:

pinentry-program /usr/bin/pinentry-curses

Change the path as per the variant you used.

Reload the GPG Agent

You can kill the existing agent, and restart it using the command below, it'll make sure it uses the right config

gpgconf --kill gpg-agent

Now, you can try signing again and see if the password prompt comes in.

Vtol answered 19/11, 2023 at 16:40 Comment(0)

My requirements is to create the keys in a remote server thru SSH connection.

My requirements are not about scripting everything

no one mention this approach. But it works for me and it satisfies my requirements:

create keys in a machine with X11 (UI) available

gpg2 --gen-key

...output omitted...
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) Enter
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) Enter
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Abd Tm
Email address: [email protected]
Comment: Enter
You selected this USER-ID:
    "Abd Tm <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

Export keys:

# export private key
gpg2 --export-secret-keys --armor --output myfile [email protected]

# export public key (same command above except --export arg)
gpg2 --export --armor --output myfile.pub [email protected]

Copy the 2 files to the server where i want really to install the keys:

scp myfile* user@remote-server:/home/user

SSH to the remote-server and import the key

ssh user@remote-server

[user@remote-server] $ gpg2 --import /home/user/myfile
[user@remote-server] $ gpg2 --import /home/user/myfile.pub

Validate it works:

[user@remote-server] $ gpg2 --list-keys

Credits to this article

Multitudinous answered 30/12, 2020 at 10:27 Comment(0)

I tried all the suggestions above, and more. The "--pinentry-mode loopback" option works. This command I now use:

gpg --pinentry-mode loopback -q -d file.gpg

I'm using gpg 2.2.27

Oology answered 10/11, 2023 at 15:51 Comment(0)

-1

You can do this :

gpg --batch --decrypt --passphrase-fd 0 gpgfile < passphrase-file

Rules answered 23/10, 2013 at 6:55 Comment(1)

I had to add --no-use-agent on Ubuntu Linux 14.04 - otherwise you get error gpg: can't query passphrase in batch mode\ngpg: error creating passphrase: invalid passphrase\ngpg: symmetric encryption of `[stdin]' failed: invalid passphrase – Diley 14/5, 2015 at 23:24

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags