graphical pinentry no longer working after upgrading to debian bullseye and pinentry and how to resolve it

Thomas Glanzmann thomas at
Sun Nov 29 08:24:11 CET 2020

I just upgraded to Debian bullseye and the graphical pinentry did not work
anymore. I got the following error message:

2020-11-28 21:37:41 gpg-agent[3535] DBG: connection to PIN entry established
2020-11-28 21:37:41 gpg-agent[3535] DBG: chan_10 -> INQUIRE PINENTRY_LAUNCHED 3633 gtk2:curses 1.1.0 - - -
2020-11-28 21:37:41 gpg-agent[3535] DBG: chan_10 <- END
2020-11-28 21:37:41 gpg-agent[3535] DBG: error calling pinentry: Inappropriate ioctl for device <Pinentry>
2020-11-28 21:37:41 gpg-agent[3535] failed to unprotect the secret key: Inappropriate ioctl for device
2020-11-28 21:37:41 gpg-agent[3535] failed to read the secret key
2020-11-28 21:37:41 gpg-agent[3535] command 'PKDECRYPT' failed: Inappropriate ioctl for device <Pinentry>
2020-11-28 21:37:41 gpg-agent[3535] DBG: chan_10 -> ERR 83918950 Inappropriate ioctl for device <Pinentry>
2020-11-28 21:37:41 gpg-agent[3535] DBG: chan_10 <- [eof]

I did the following to resolve the issue:

        - Installed pinentry-gnome3 because that for one of two systems
          dis resolve the issue for me without anything else below. I
          also installed pinentry-gnome3 because it grabs the keyboard,
          deinstalled any other pinentry (like gtk2 which does not grab
          the keyboard, if you have focus follows mouse on fvwm2)

apt install -y pinentry-gnome3 dbus-x11

	- Added the following to my .xsession. This is necessary because in
	  bullseye gpg-agent seems to be started by systemd sometimes without
	  the correct display set
gpg-connect-agent UPDATESTARTUPTTY /bye

	- gpg.conf (just to have a fully working example):
keyserver hkp://
keyserver-options no-honor-keyserver-url
cert-digest-algo SHA512
default-key <key>
encrypt-to <key>
keyid-format 0xlong
keyserver-options auto-key-retrieve
trust-model direct
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

	- gpg-agent.conf (I tried here a lot in the old days I had keep-display
         and keep-tty and restarted gpg-agent in my .xsession. that does not work
         anylonger becuase systemd seems to start gpg-agent. What also
         worked was calling pinentry using a wrapper script which
         sets the DISPLAY variable explicitly, but this gives me more
         flexibility, not that I need it. Because I always enter my
         passphrase using X11 on system I'm sitting in front of)
default-cache-ttl 34560000
max-cache-ttl 34560000
default-cache-ttl-ssh 34560000
max-cache-ttl-ssh 34560000

With the above setup the following works:

	- gpg locally
gpg -d test.gpg
	- gpg as ssh-agent
ssh remotesystem
	- gpg remotely
ssh -A -R /home/sithglan/.gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent.extra remotesystem gpg -d test.gpg
        - sshfs using gpg as ssh-agent:
# automounter sshfs
apt-get install sshfs autofs
echo '/ssh    /etc/auto.sshfs --timeout=60' >> /etc/auto.master

cat > /etc/auto.sshfs <<'EOF'
echo -e "-fstype=fuse,rw,nodev,noatime,allow_other,ssh_command=/usr/local/sbin/ssh_sshfs / sshfs\#${1}:/"

cat > /usr/local/sbin/ssh_sshfs <<'EOF'

if [ "${UID}" == 0 ]; then
        exec /usr/bin/sudo -H -u sithglan $0 "$@"


source ~sithglan/.ssh/env

exec /usr/bin/ssh "$@"

chmod +x /etc/auto.sshfs /usr/local/sbin/ssh_sshfs
/etc/init.d/autofs restart

        - nsswitch.conf: automount: files

        - 'echo export SSH_AUTH_SOCK=${SSH_AUTH_SOCK} > ~/.ssh/env'

Feedback, improvement and explanations welcome.


More information about the Gnupg-users mailing list