Most gpg operations fail in FIPS mode on RHEL7 with error: Fatal: can't register GNU Pth with Libgcrypt: Not supported

Solution Verified - Updated -

Issue

  • On a RHEL 7 system in FIPS-enforcing mode, all gpg commands that require gpg-agent to request a passphrase fail.
    For example, symmetric encryption fails:

    ~]$ echo inputdata | gpg -ac
    gpg-agent[1921]: Fatal: can't register GNU Pth with Libgcrypt: Not supported
    gpg: can't connect to the agent: End of file
    gpg: problem with the agent: No agent running
    gpg-agent[1923]: Fatal: can't register GNU Pth with Libgcrypt: Not supported
    gpg: can't connect to the agent: End of file
    gpg: problem with the agent: No agent running
    gpg: error creating passphrase: Operation cancelled
    gpg: symmetric encryption of `[stdin]' failed: Operation cancelled
    

    Symmetric encryption succeeds if gpg-agent is bypassed:

    ~]$ echo inputdata | gpg -ac --batch --passphrase mypass
    gpg-agent[1991]: Fatal: can't register GNU Pth with Libgcrypt: Not supported
    gpg: can't connect to the agent: End of file
    gpg: problem with the agent: No agent running
    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v2.0.22 (GNU/Linux)
    
    jA0EBwMCQei+DJHfurhg0j8B3EIY+RowQUJQYjEI9f7ubiUJgIptQ4L+3T34CBaC
    s16DtqS43UlxfQTqB6TJt9uzcQUHFG4sn8WFMcDKBTM=
    =Oa6A
    -----END PGP MESSAGE-----
    

    Key generation fails:

    ~]$ gpg --gen-key
    gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    gpg: keyring `/home/aabb/.gnupg/secring.gpg' created
    Please select what kind of key you want:
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
    Your selection? 
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048) 
    Requested keysize is 2048 bits
    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0) 
    Key does not expire at all
    Is this correct? (y/N) y
    
    GnuPG needs to construct a user ID to identify your key.
    
    Real name: Aaa Bbb
    Email address: aabb@devnull
    Comment: 
    You selected this USER-ID:
        "Aaa Bbb <aabb@devnull>"
    
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
    You need a Passphrase to protect your secret key.
    
    gpg-agent[2015]: Fatal: can't register GNU Pth with Libgcrypt: Not supported
    gpg: can't connect to the agent: End of file
    gpg: problem with the agent: No agent running
    gpg-agent[2017]: Fatal: can't register GNU Pth with Libgcrypt: Not supported
    gpg: can't connect to the agent: End of file
    gpg: problem with the agent: No agent running
    gpg: Key generation canceled.
    

Environment

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In