How to use gpg as ssh agent

If you don’t know how to create gpg keys read How to create gpg keypair

Enable the gpg-agent ssh support

[email protected] ~ % echo enable-ssh-support >> $HOME/.gnupg/gpg-agent.conf

Set SSH_AUTH_SOCK so that SSH will use gpg-agent instead of ssh-agent. Add this to tour bashprofile or zshrc

if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null

Enable the gpg subkey for ssh authentication:

  • Get the subkey keygrip
[email protected] ~ % gpg --list-keys --with-keygrip

[email protected] ~ % gpg -K --with-keygrip
sec#  rsa4096 2021-02-07 [SC] [expires: 2031-02-07]
      Keygrip = CD02E01C898C378214163C91F3D1E93107B0EBDB
uid           [ultimate] Amrith P. Vengalath <[email protected]>
ssb   rsa4096 2021-02-07 [E] [expires: 2023-02-09]
      Keygrip = 4778AA4AE919B0387C24389FC2E86C4B7749FAD4
ssb   rsa4096 2021-02-09 [S] [expires: 2023-02-09]
      Keygrip = B19D2224DBBBCC324679AC3CDA97337035477338
ssb   rsa4096 2021-02-10 [A] [expires: 2023-02-10]
      Keygrip = 53C518FCC568C4D3659AD3FF0C0A567CC9593DB5
  • Add the keygrip of your subkey in the list of approved keys
[email protected] ~ % echo 53C518FCC568C4D3659AD3FF0C0A567CC9593DB5 >> ~/.gnupg/sshcontrol

Check if the key is present in the ssh identities list

[email protected] ~ % ssh-add -l
4096 SHA256:adp8owth5AD41Hk6uHYY3M5rl/GJNzizQIXwRugS5t0 (none) (RSA)

Retrieve the public ssh key for the subkey

[email protected] ~ % gpg --export-ssh-key 03EBDB52
ssh-rsa <A_LOT_OF_STUFF_HERE> openpgp:0xA2E43D00

You can test if the key is working with your Github account. The ssh public key generated in the previous step has to be added to your Github SSH keys.

[email protected] ~ % ssh -T [email protected]
Hi AmrithVengalath! You've successfully authenticated, but GitHub does not provide shell access.

Leave a Reply

Back to Top