Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Release experimental Software License Build Status

Tired of typing in your GPG password? Have Keepass do it for you! With this Keepass plugin installed and gpg-agent configured you can have Keepass respond to pinentry requests for you.


Clone this repo, do this somewhere it can reside permanently since we add ENV vars which point to this dir.

Grab a copy of KeepassPinentry.dll and stdproxy.exe from Releases (or build them yourself).

Run the install.cmd (auto adds the plugin ddl to the keepass dir).

In Keepass:

  • Add an Entry named "GPG" whose password is your GPG password (the one you want pinentry to use).
  • Add an Entry named "TLSKEY" whose password is the certificate password you created, and add the certificate.p12 file as a binary to this entry.

How it works

The idea is really simple, we tell gpg-agent to talk to stdproxy as its pinentry program. It uses a simple text protocol to communicate with the pinentry program over STDIN/STDOUT. Stdproxy makes a TCP connection (wrapped in SSL) to the keepass-pinentry plugin which is running a local server. This TCP connection is used to forward the STDIN written by gpg-agent to stdproxy to keepass-pinentry which then responds over TCP back to stdproxy's STDOUT which is read by gpg-agent. Keepass-pinentry implements the bare minimum parts of the pinentry protocol in order to respond to the pinentry request.

Building locally / Development



  • Docker for Windows or dotnet

You can rebuild the DLL by running build.cmd, or running dotnet inside KeepassPinentry/.



  • Go

cd into stdproxy/ and run "go build"


The SSL encryption here is probably silly since this is only ever intended to be run with a local keepass-pinentry server & gpg-agent, but it was fun adding the encryption layer.

The code is really rough because this was just a personal tool, so forgive me for that!

Future work

  • Fallback to non-SSL TCP when certificate not present.
  • Add tests