Skip to content

Instantly share code, notes, and snippets.

Last active February 18, 2022 17:50
  • Star 11 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save surhudm/a741f79789a5e96dd142695554ee06f5 to your computer and use it in GitHub Desktop.
GNUPG agent forwarding

Forward GNUPG agent with the following steps:

On the remote insecure machine:

Run gpg once to create the directory structure.

gpg --list-keys

On the local machine:

Create file: $HOME/.gnupg/gpg-agent.conf

extra-socket $HOME/.gnupg/S.gpg-agent.extra
pinentry-program /usr/bin/pinentry-curses
default-cache-ttl 1800


gpg-connect-agent reloadagent /bye

Edit $HOME/.ssh/config to include (replace usernames correctly):

host gpgtunnel
    hostname hostipaddress
    User yourusername
    RemoteForward /home/<user>/.gnupg/S.gpg-agent /home/<user>/.gnupg/S.gpg-agent.extra

Copy over the public keyring to the remote machine

scp $HOME/.gnupg/pubring.* gpgtunnel:$HOME/.gnupg/

If the gpg versions between the two servers are different then you might have to change the file names. For example I had to change pubring.gpg to pubring.kbx when moving from one machine to the other.

Now test that the gpg-agent works on the local machine:

echo "test" | gpg2 --encrypt -r MYKEYID 
echo "test" | gpg2 --encrypt -r MYKEYID > output
gpg2 --decrypt output

The code will ask you for your password twice, once to encrypt and then to decrypt. After that the key pass phrase is cached for the cachetime specified in the gpg-agent configuration file above.

Now ssh to remote machine

scp output gpgtunnel:
ssh gpgtunnel
gpg2 --decrypt output

The gpg-agent should be able to use your authentication on the local machine.

Copy link

dkg commented Dec 19, 2019

change pubring.gpg to pubring.kbx

This is a bad idea. the different filenames represent distinct internal formats, and simply renaming won't work.

Copy link

cederom commented May 9, 2021

Here is a good way to transfer public key :-)

Copy link

cederom commented May 9, 2021

Also ssh -A needs to be invoked in order to enable forwarding of the authentication agent :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment