Recent versions of GnuPG use pinentry to grab a passphrase from the user. The pinentry program has versions for ncurses, qt4, and gtk. However, at startup, even ncurses may not work. If you have a dmcrypt mapping using an encrypted gpg key, it won't ask for the passphrase at startup. According to the "Common Problems" page in the GnuPG docs (http://www.gnupg.org/documentation/manuals/gnupg/Common-Problems.html), the GPG_TTY var must be set for pinentry-ncurses to work. Alternatively, the --pinentry-program option could be used for a custom, pure console version of pinentry. Reproducible: Always Steps to Reproduce: 1. Create an encrypted gpg key for the filesystem: $ dd if=/dev/random count=1 | gpg --symmetric -a > /fs_key.gpg 2. Setup a dmcrypt mapping in /etc/conf.d/dmcrypt using a GnuPG key. Example: target=crypt-fs source=/dev/sda5 key='/fs_key.gpg:gpg' 3. Reboot. Will not setup /dev/mapping/crypt-fs as expected.
ive never needed to set GPG_TTY and thinks work fine for me. further, the FAQ you reference does not say it must be set. it only says "GPG_TTY has not been set correctly". that means "if it is set, it must be set to a valid value".
The GPG_TTY var has to be set for pinentry-curses to work, period. I can replicate that much without having to reboot: $ export | grep GPG_TTY $ dd if=/dev/random count=1 | gpg --symmetric -a 0+1 records in 0+1 records out 128 bytes (128 B) copied, 0.000999918 s, 128 kB/s pinentry-curses: no LC_CTYPE known - assuming UTF-8 pinentry-curses: no LC_CTYPE known - assuming UTF-8 pinentry-curses: no LC_CTYPE known - assuming UTF-8 pinentry-curses: no LC_CTYPE known - assuming UTF-8 *** HIT CTL-C *** gpg: signal Interrupt caught ... exiting $ export GPG_TTY=`tty` $ dd if=/dev/random count=1 | gpg --symmetric -a 0+1 records in 0+1 records out 128 bytes (128 B) copied, 0 s, Infinity B/s *** NCURSES POPUP FOR PASSPHRASE *** -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.17 (GNU/Linux) jA0EAwMCyZtzftf0jqzOyZkeCR+qciFRk429dbg71NIGfaimcukaXjUiaCugT3Hn hUlnbdxwqVPoOgXdmxCOogrCFrwyDxO8I3OCvXp0pH+cBjo/I71yViC17gy1W42j 4n4IQJHrnMcfO+jFDDeFJ6lX5TP1aEIKAIvW24+NIuYTmgf9sqOVepz2gsxJqE2p k3ur+7I9wT6KRjNBnXkTsmkRXSNBkrUDEjw= =DoKZ -----END PGP MESSAGE-----
how is your example relevant ? you're taking over the stdin of gpg with that pipe which is not what the cryptsetup startup code does.
Timm: If you add GPG_TTY="$(tty)" on same line(162) when gpg is executed at /etc/init.d/dmcrypt, does it work for you? It should detect the tty automatically as stdin is not redirected to any place... just want to be sure.
Hi Timm, Please reopen if you have more details. Thanks,