How to make gpg prompt for passphrase on CLI

Question

The encryption tool of gnuPG package gpg prompts for passphrase using a GUI dialog box when invoked by a regular user, however when invoked by root it prompts on CLI. How to make it use the CLI even when invoked by a regular user. version:GnuPG 1.4.12

Answer 1

On a debian box:

sudo apt install pinentry-tty
sudo update-alternatives --config pinentry

(and set it to pinentry-tty)

Answer 2

This kind of password prompt is not done by gpg itself, but by the gpg-agent.

You can configure your gpg-agent which pinentry program should be used. There are options both when starting the agent and in the gpg-agent config file -- please have a glance at the man page.

So I see two options:

• Configure your gpg-agent to use the desired method
• Disable the gpg-agent; you can do that for a single gpg invocation by unsetting the environment variable GPG_AGENT_INFO like GPG_AGENT_INFO="" gpg .... gpg used to have a --no-use-agent option, but this has been marked deprecated and has no functionality in recent gpg version.

Answer 3

I'm on GPG 2.2.13, and the gpg-agent man page reads:

You should always add the following lines to your .bashrc or whatever initialization file is used for all shell invocations:

GPG_TTY=$(tty)
export GPG_TTY

It is important that this environment variable always reflects the output of the tty command. ...

This doesn't explain the "why" (I also don't understand the "why"), but setting this in my .bashrc worked: it caused my gpg-agent to ask for my passphrase via the pinentry-curses interface. I didn't need to set any other configuration (I don't even have a ~/.gnupg/gpg-agent.conf file).

Edit: it seems that this works whenever no DISPLAY is available, e.g. in an SSH session with no X11 forwarding. But when I'm on the desktop and DISPLAY is set, it still brings up the GUI dialog. unset DISPLAY (BASH) in this case makes it use curses instead of the GUI.

Answer 4

In newer versions of gpg, >= 2.x, you can use this

stty -echo; gpg --passphrase-fd 0 --pinentry-mode loopback --decrypt filename; stty echo

The stty makes sure your password is not echoed as you enter it. A tad smoother than fiddling with configs if all you want is a quicky on say a desktop workstation you ssh'd into.

You will need, though, pinentry sudo apt install pinentry-curses or possibly sudo apt install pinentry

It's a far cry from the olden days of gpg 1.x where all you needed was --no-use-agent.

Answer 5

You can set the following environment variable to disable the graphical prompt

export PINENTRY_USER_DATA="USE_CURSES=1"

Answer 6

If you're on MacOS and using pinentry, you can go to > System Preferences > GPG Suite, then disable both

Store in macOS keychain

and

Remember for ### seconds

AND click the Delete stored OpenPGP passwords button.

Deleting OpenPGP passwords part is super important because if your password is already stored in the keychain, disabling the other 2 options won't be enough!

I tried most other things mentioned on this thread, including adding export GPG_TTY=$(tty) to ~/.bash_profile, using gpg --no-use-agent (got the deprecated message, but still didn't work), looking at the ~/.gnupg/gpg-agent.conf and ~/.gnupg/gpg.conf files (neither one really had anything that looked like it would change anything), and nothing really made the CLI pinentry GUI prompt for the password until I did this.

Hope this might help anyone in the future who runs into this problem! It took me a couple months after I updated gpg and accidentally enabled these options before figuring out how to revert them back just now.

To clarify, if you WANT pinentry to prompt you to enter your password anytime you're doing something that you want to verify with your PGP keys, make sure you don't have the options to remember your password enabled AND make sure you delete any PGP passwords you might have stored in macOS keychain.

EDIT: found a similar answer on Ask Different: How to use GUI pinentry program for GPG

Answer 7

My requirements is to create the keys in a remote server thru SSH connection.

My requirements are not about scripting everything

no one mention this approach. But it works for me and it satisfies my requirements:

1. create keys in a machine with X11 (UI) available

gpg2 --gen-key

...output omitted...
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) Enter
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) Enter
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Abd Tm
Email address: abd@example.com
Comment: Enter
You selected this USER-ID:
    "Abd Tm <abd@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

2. Export keys:

# export private key
gpg2 --export-secret-keys --armor --output myfile abd@example.com

# export public key (same command above except --export arg)
gpg2 --export --armor --output myfile.pub abd@example.com

3. Copy the 2 files to the server where i want really to install the keys:

scp myfile* user@remote-server:/home/user

4. SSH to the remote-server and import the key

ssh user@remote-server

[user@remote-server] $ gpg2 --import /home/user/myfile
[user@remote-server] $ gpg2 --import /home/user/myfile.pub

5. Validate it works:

[user@remote-server] $ gpg2 --list-keys

Credits to this article

Answer 8

You can do this :

gpg --batch --decrypt --passphrase-fd 0 gpgfile < passphrase-file