GnuPG clients no longer deal with private key material, or with passphrases etc. (as far as possible — as far as I can tell, the only time a passphrase goes through the client is when you change it);
to support this, a separate process, the agent, stores private keys; it runs as a user-level daemon, started automatically when a client needs it;
the agent, being a daemon, doesn’t have an “owning” terminal, nor does it know how to obtain input from the user;
obtaining input from the user is delegated to a pinentry-compatible program of the user’s choice.
The use of a pinentry program ensures that your private key stays confined to the agent (if it knows about it at all of course), without your having to supply the private key and passphrase explicitly to the agent (as happens e.g. with ssh-add). It also ensures that the requests for your passphrase are consistent, regardless of the source of the request (the amount of security that that provides is as usual up for debate).
In Keepass2, "Add Entry," and set "Title" to "GPG." Move from "Entry" tab to "Auto-Type" tab. Select "Override default sequence" and set to "{PASSWORD}".
Before you send email, open Keepass2 with Keepass2 password. Ask IceDove with Enigmail to "Send" and pinentry should appear (locking keyboard, preventing "Ctrl+V" (or any other keyboard shortcut you normally use to perform auto-type), preventing switch windows "Alt+Tab", etc.).
Use mouse to highlight "GPG" entry in Keepass2 and click "Perform Auto-Type" icon in Keepass2 (left of "Find" icon and underneath "Help" menu). As the keyboard "focus" was last on the pinentry text input box, Keepass2 will now start typing your long password for you.
You can use the PINENTRY_USER_DATA environment variable to give gpg information to pass to the pinentry command.
You then need to set pinentry-program to a custom wrapper such as this that will run the curses or the GTK pinentry depending on that variable.
Note that this only seems to work with GPG 2.x, contrary to what the documentation of GPG 1.x says.
So with that script, you use gpg2 to use pinentry-curses and PINENTRY_USER_DATA="gtk" gpg2 to use pinentry-gtk-2.
Best Answer
Yes, the use of a
pinentry
program is mandatory with GnuPG 2 and later.This follows from the updated architecture in use nowadays:
pinentry
-compatible program of the user’s choice.The use of a
pinentry
program ensures that your private key stays confined to the agent (if it knows about it at all of course), without your having to supply the private key and passphrase explicitly to the agent (as happens e.g. withssh-add
). It also ensures that the requests for your passphrase are consistent, regardless of the source of the request (the amount of security that that provides is as usual up for debate).