21

I had to do quite some diving and hunting through documentation and forums, so I figured I might as well do a Q&A here for others:

How do I enable GnuPG passphrase prompting in the minibuffer? The Emacs 25.1 changelog says:

** pinentry.el allows GnuPG passphrase to be prompted through the minibuffer instead of a graphical dialog, depending on whether the gpg command is called from Emacs (i.e., INSIDE_EMACS environment variable is set). This feature requires newer versions of GnuPG (2.1.5 or later) and Pinentry (0.9.5 or later). To use this feature, add "allow-emacs-pinentry" to "~/.gnupg/gpg-agent.conf" and reload the configuration with "gpgconf --reload gpg-agent".

Doing just that, I just get an error message now and not even the graphical passphrase prompt.

This is GNU Emacs 25.2.2 on Lubuntu (Ubuntu Xenial) with GnuPG 2.1.11.

stsquad
  • 4,626
  • 28
  • 45
Oliver Scholz
  • 846
  • 7
  • 12

2 Answers2

28

You also have to

  1. Explicitely enable loopback mode for pinentry in your gpg-agent.conf.
  2. Configure epa to use loopback for pinentry.
  3. Start the pinentry server in emacs,

1. Enable Emacs pinentry and loopback mode for gpg-agent

Put this in your ~/.gnupg/gpg-agent.conf:

allow-emacs-pinentry
allow-loopback-pinentry

Then tell gpg-agent to load this configuration with gpgconf in a shell:

gpgconf --reload gpg-agent

2. Configure EasyPG Assistant to use loopback for pinentry

In emacs, either do

M-x customize-group RET epa RET

Then set “Epa Pinentry Mode” to ‘loopback’ and apply.

Or put this in your ~/.emacs file:

(setq epa-pinentry-mode 'loopback)

Note: epa-pinentry-mode is deprecated since 27.1, either do

M-x customize-group RET epg RET

Then set “Epg Pinentry Mode” to ‘loopback’ and apply.

Or put this in your ~/.emacs file:

(setq epg-pinentry-mode 'loopback)

Finally, in Emacs, do

M-x pinentry-start RET

This starts the server for the current session. To start it in each new Emacs instance, put this into your .emacs:

(pinentry-start)
Oliver Scholz
  • 846
  • 7
  • 12
  • I have implemented this approach and while it works using pass from within emacs I can no longer run pass from the command line. Is this the case for you? – orion Jun 22 '18 at 06:58
4

For setups with GnuPG >= 2.1, pinentry package is not needed anymore.

Quote from the Emacs News.26 file:

** The pinentry.el library has been removed.
That package (and the corresponding change in GnuPG and pinentry)
was intended to provide a way to input passphrase through Emacs with
GnuPG 2.0.  However, the change to support that was only implemented
in GnuPG >= 2.1 and didn't get backported to GnuPG 2.0.  And with
GnuPG 2.1 and later, pinentry.el is not needed at all.  So the
library was useless, and we removed it.  GnuPG 2.0 is no longer
supported by the upstream project.

To adapt to the change, you may need to set 'epa-pinentry-mode' to the
symbol 'loopback'.  Alternatively, leave 'epa-pinentry-mode' at its
default value of nil, and remove the 'allow-emacs-pinentry' setting
from your 'gpg-agent.conf' configuration file, usually found in the
'~/.gnupg' directory.

Note that previously, it was said that passphrase input through
minibuffer would be much less secure than other graphical pinentry
programs.  However, these days the difference is insignificant: the
'read-password' function sufficiently protects input from leakage to
message logs.  Emacs still doesn't use secure memory to protect
passphrases, but it was also removed from other pinentry programs as
the attack is unrealistic on modern computer systems which don't
utilize swap memory usually.

See also a discussion on why pinentry was removed from Emacs core.

So a setup may now consist of:

  1. In Emacs' user-init-file:
(require 'epg)
(setq epg-pinentry-mode 'loopback)
  1. In ~/.gnupg/gpg-agent.conf:
allow-emacs-pinentry
# on Mac OS
pinentry-program /usr/local/bin/pinentry-mac
Y. E.
  • 668
  • 4
  • 8