32

I am running Gentoo Hardened with kernel 4.1.7-hardened-r1 and I am trying to encrypt a file using GPG from a shell session opened from SSH and with the DISPLAY variable disabled in order to use pinentry-curses for password prompt. Using gpg -o file.gpg --symmetric file I can encrypt just fine. Using pv file | gpg -o file.gpg --symmetric I get the following error message:

gpg-agent[30745]: command get_passphrase failed: Inappropriate ioctl for device
RAKK
  • 1,332
  • 2
  • 17
  • 35

1 Answers1

59

You should set yout GPG_TTY variable for it to work, as in this document:

GPG_TTY=$(tty)
export GPG_TTY

Those two lines are supposed to be in your .bashrc (assuming bash), so they're run every time you open new terminal session.

There's another solution, though: in bash you can run your pv and pretend it's a file, using process substitution:

gpg -o file.gpg --symmetric <(pv file)

As such, it might not be a good idea to pipe-in things to programs that expect additional input. It can work differently than expected.

TNW
  • 2,080
  • 16
  • 14
  • Is there any way to change or fix this behavior? Right now I just tried the exact same read-from-stdin command on Debian and GPG did ask for my password. – RAKK Jan 22 '16 at 18:07
  • @RAKK Could you decrypt resulting file, though? – TNW Jan 22 '16 at 22:07
  • Yes, without a hitch on Debian. Create a little file with random data called `dsfargeg`, encrypt it with `pv dsfargeg | gpg -o dsfargeg.gpg --symmetric`, enter a password when prompted, decrypt the output with `gpg -o dsfargeg.gpg.dec --decrypt dsfargeg.gpg`, enter your password, and compare the original and the decrypted file with `sha256sum dsfargeg dsfargeg.gpg.dec`. Both hashes will be the same. – RAKK Jan 22 '16 at 22:17
  • @RAKK You're right. It seems that gpg is opening `/dev/tty` on Debian. This was version 1.4, though, in my case; gpg got a bit of overhaul since. That approach might've been dropped for some reason - you might want to find out more on your own (or this can be some Debian specific patch). As such, it would be probably better for you not to count on it. I'll dig around in traces, to check what's exactly happening in newer gpg (I've got 2.1). – TNW Jan 22 '16 at 22:29
  • Strangely enough, [I've found a solution!](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html) Setting GPG_TTY variable does it for me. I'll update the answer accordingly. – TNW Jan 22 '16 at 22:49
  • Man I was about to burn this Mac due to this fu**: `error: gpg failed to sign the data`. :+1: – joseluisq Dec 03 '19 at 11:47