4

I'm trying to generate keys to lock my drive (using DM-Crypt with LUKS) by pulling data from /dev/random and then encrypting that using GPG.

In the guide I'm using, it suggests using the following command:

dd if=/dev/random count=1 | gpg --symmetric -a >./[drive]_key.gpg

If you do it without a pipe, and feed it a file, it will pop up an (n?)curses prompt for you to type in a password. However when I pipe in the data, it repeats the following message four times and sits there frozen:

pinentry-curses: no LC_CTYPE known assuming UTF-8

It also says can't connect to '/root/.gnupg/S.gpg-agent': File or directory doesn't exist, however I am assuming that this doesn't have anything to do with it, since it shows up even when the input is from a file.

So I guess my question boils down to this: is there a way to force gpg to accept the passphrase from the command line, or in some other way get this to work, or will I have to write the data from /dev/random to a temporary file, and then encrypt that file? (Which as far as I know should be alright due to the fact that I'm doing this on the LiveCD and haven't yet created the swap, so there should be no way for it to be written to disk.)

Improve this question
1
  • gpg's --no-use-agent should tell gpg to not use an agent program, and accept the passphrase typed in the terminal... at least in gpg 1.x, that version still seems used in current Ubuntu & Mint releases
    – Xen2050
    Commented Jan 25, 2017 at 8:48

2 Answers 2

Reset to default
12

Make sure you own the tty:

# ls -l $(tty)
crw--w----. 1 foo tty 136, 0 Mar  1 16:53 /dev/pts/0
# chown root $(tty)

Set GPG_TTY:

# export GPG_TTY=$(tty)

gpg/pinentry should work after these steps.

Improve this answer
1
  • Thanks a lot! This helped me pipe to gpg manually, and also fixed an issue I was having with the keybase command line client which pipes to gpg behind the scenes.
    – ajk
    Commented Dec 16, 2014 at 21:50
3

Well...in the end, I decided to just write out to a file, and then encrypt that file, assuming that since there was no swap, and the filesystem was in ram, that it would die with the next shutdown.

However, for the reference of anyone who finds this question (and to cement the idea in my head), I will write down a procedure I found that would work long after I found out when creating the initramfs.

What you need to do is go back to a version of gpg before they started using the external pinentry program for password entry. As far as I know, that happened with version 2. Assuming that you have a currently working Linux install, you will want to get a statically compiled version of gpg<2.0.

This is extremely easy to do with Gentoo, only requiring the following command:

USE="static" emerge -a1 "<gnupg-2"

Just make sure to use ldd to confirm that they are in fact static before you copy them to your thumb drive so that you can use them during the install.

On other distributions, I suggest you look @ your package manager, and if that doesn't work, then I would try downloading the sources, and compiling from them.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .