25

I had to do quite some diving and hunting through documentation and forums, so I figured I might as well do a Q&A here for others:

How do I enable GnuPG passphrase prompting in the minibuffer? The Emacs 25.1 changelog says:

** pinentry.el allows GnuPG passphrase to be prompted through the minibuffer instead of a graphical dialog, depending on whether the gpg command is called from Emacs (i.e., INSIDE_EMACS environment variable is set). This feature requires newer versions of GnuPG (2.1.5 or later) and Pinentry (0.9.5 or later). To use this feature, add "allow-emacs-pinentry" to "~/.gnupg/gpg-agent.conf" and reload the configuration with "gpgconf --reload gpg-agent".

Doing just that, I just get an error message now and not even the graphical passphrase prompt.

This is GNU Emacs 25.2.2 on Lubuntu (Ubuntu Xenial) with GnuPG 2.1.11.

Improve this question

2 Answers 2

Reset to default
31

You also have to

  1. Explicitely enable loopback mode for pinentry in your gpg-agent.conf.
  2. Configure epa to use loopback for pinentry.
  3. Start the pinentry server in emacs,

1. Enable Emacs pinentry and loopback mode for gpg-agent

Put this in your ~/.gnupg/gpg-agent.conf:

allow-emacs-pinentry allow-loopback-pinentry

Then tell gpg-agent to load this configuration with gpgconf in a shell:

gpgconf --reload gpg-agent

2. Configure EasyPG Assistant to use loopback for pinentry

In emacs, either do

M-x customize-group RET epa RET

Then set “Epa Pinentry Mode” to ‘loopback’ and apply.

Or put this in your ~/.emacs file:

(setq epa-pinentry-mode 'loopback)

Note: epa-pinentry-mode is deprecated since 27.1, either do

M-x customize-group RET epg RET

Then set “Epg Pinentry Mode” to ‘loopback’ and apply.

Or put this in your ~/.emacs file:

(setq epg-pinentry-mode 'loopback)

Finally, in Emacs, do

M-x pinentry-start RET

This starts the server for the current session. To start it in each new Emacs instance, put this into your .emacs:

(pinentry-start)
Improve this answer
1
  • I have implemented this approach and while it works using pass from within emacs I can no longer run pass from the command line. Is this the case for you? Commented Jun 22, 2018 at 6:58
7

For setups with GnuPG >= 2.1, pinentry package is not needed anymore.

Quote from the Emacs News.26 file:

** The pinentry.el library has been removed. That package (and the corresponding change in GnuPG and pinentry) was intended to provide a way to input passphrase through Emacs with GnuPG 2.0. However, the change to support that was only implemented in GnuPG >= 2.1 and didn't get backported to GnuPG 2.0. And with GnuPG 2.1 and later, pinentry.el is not needed at all. So the library was useless, and we removed it. GnuPG 2.0 is no longer supported by the upstream project. To adapt to the change, you may need to set 'epa-pinentry-mode' to the symbol 'loopback'. Alternatively, leave 'epa-pinentry-mode' at its default value of nil, and remove the 'allow-emacs-pinentry' setting from your 'gpg-agent.conf' configuration file, usually found in the '~/.gnupg' directory. Note that previously, it was said that passphrase input through minibuffer would be much less secure than other graphical pinentry programs. However, these days the difference is insignificant: the 'read-password' function sufficiently protects input from leakage to message logs. Emacs still doesn't use secure memory to protect passphrases, but it was also removed from other pinentry programs as the attack is unrealistic on modern computer systems which don't utilize swap memory usually.

See also a discussion on why pinentry was removed from Emacs core.

So a setup may now consist of:

  1. In Emacs' user-init-file:
(require 'epg) (setq epg-pinentry-mode 'loopback)
  1. In ~/.gnupg/gpg-agent.conf:
allow-emacs-pinentry # on Mac OS pinentry-program /usr/local/bin/pinentry-mac
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.