Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
GNUPG agent forwarding

Forward GNUPG agent with the following steps:

On the remote insecure machine:

Run gpg once to create the directory structure.

gpg --list-keys

On the local machine:

Create file: $HOME/.gnupg/gpg-agent.conf

extra-socket $HOME/.gnupg/S.gpg-agent.extra
pinentry-program /usr/bin/pinentry-curses
no-grab
default-cache-ttl 1800

Run

gpg-connect-agent reloadagent /bye

Edit $HOME/.ssh/config to include (replace usernames correctly):

host gpgtunnel
    hostname hostipaddress
    User yourusername
    RemoteForward /home/<user>/.gnupg/S.gpg-agent /home/<user>/.gnupg/S.gpg-agent.extra

Copy over the public keyring to the remote machine

scp $HOME/.gnupg/pubring.* gpgtunnel:$HOME/.gnupg/

If the gpg versions between the two servers are different then you might have to change the file names. For example I had to change pubring.gpg to pubring.kbx when moving from one machine to the other.

Now test that the gpg-agent works on the local machine:

echo "test" | gpg2 --encrypt -r MYKEYID 
echo "test" | gpg2 --encrypt -r MYKEYID > output
gpg2 --decrypt output

The code will ask you for your password twice, once to encrypt and then to decrypt. After that the key pass phrase is cached for the cachetime specified in the gpg-agent configuration file above.

Now ssh to remote machine

scp output gpgtunnel:
ssh gpgtunnel
gpg2 --decrypt output

The gpg-agent should be able to use your authentication on the local machine.

@dkg
Copy link

dkg commented Dec 19, 2019

change pubring.gpg to pubring.kbx

This is a bad idea. the different filenames represent distinct internal formats, and simply renaming won't work.

@cederom
Copy link

cederom commented May 9, 2021

Here is a good way to transfer public key :-) https://github.com/drduh/YubiKey-Guide#adding-notations

@cederom
Copy link

cederom commented May 9, 2021

Also ssh -A needs to be invoked in order to enable forwarding of the authentication agent :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment