Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
GNUPG agent forwarding

Forward GNUPG agent with the following steps:

On the remote insecure machine:

Run gpg once to create the directory structure.

gpg --list-keys

On the local machine:

Create file: $HOME/.gnupg/gpg-agent.conf

extra-socket $HOME/.gnupg/S.gpg-agent.extra
pinentry-program /usr/bin/pinentry-curses
default-cache-ttl 1800


gpg-connect-agent reloadagent /bye

Edit $HOME/.ssh/config to include (replace usernames correctly):

host gpgtunnel
    hostname hostipaddress
    User yourusername
    RemoteForward /home/<user>/.gnupg/S.gpg-agent /home/<user>/.gnupg/S.gpg-agent.extra

Copy over the public keyring to the remote machine

scp $HOME/.gnupg/pubring.* gpgtunnel:$HOME/.gnupg/

If the gpg versions between the two servers are different then you might have to change the file names. For example I had to change pubring.gpg to pubring.kbx when moving from one machine to the other.

Now test that the gpg-agent works on the local machine:

echo "test" | gpg2 --encrypt -r MYKEYID 
echo "test" | gpg2 --encrypt -r MYKEYID > output
gpg2 --decrypt output

The code will ask you for your password twice, once to encrypt and then to decrypt. After that the key pass phrase is cached for the cachetime specified in the gpg-agent configuration file above.

Now ssh to remote machine

scp output gpgtunnel:
ssh gpgtunnel
gpg2 --decrypt output

The gpg-agent should be able to use your authentication on the local machine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment