5 GnuPG Pinentry

An important component of the GnuPG suite is the Pinentry, which allows for secure entry of passphrases requested by GnuPG. GnuPG delivers various different programs as Pinentry, ranging from bland TTY-only pinentry-tty to fancy graphical dialogs for various desktop environments, like pinentry-gnome3. Your operating system usually determines which of these is used by default.

Note that the selection of a concrete Pinentry program determines only how GnuPG queries for passphrases and not how often. For the latter question see Caching Passphrases.

With some configuration Emacs can also play the role of a Pinentry. The most natural choice, available with GnuPG 2.1.5 and later, is to use Emacs itself as Pinentry for requests that are triggered by Emacs. For example, if you open a file whose name ends with .gpg using automatic decryption, you most likely also want to enter the passphrase for that request in Emacs.

This so called loopback Pinentry has the added benefit that it works also when you use Emacs remotely or from a text-only terminal. To enable it:

  1. Ensure that option allow-loopback-pinentry is configured for gpg-agent, which should be the default. See Option Summary in Using the GNU Privacy Guard.
  2. Customize variable epg-pinentry-mode to loopback in Emacs.

There are other options available to use Emacs as Pinentry, you might come across a Pinentry called pinentry-emacs or gpg-agent option allow-emacs-pinentry. However, these are considered insecure or semi-obsolete and might not be supported by your operating system or distribution. For example, Debian GNU/Linux supports only the loopback Pinentry described above.