Skip to content

Instantly share code, notes, and snippets.

@fedme

fedme/Yubikey in WSL2 Ubuntu.md

Last active February 8, 2025 08:57
Show Gist options
  • Save fedme/ca8f01f98519f31f1dafad8f4262443e to your computer and use it in GitHub Desktop.
Save fedme/ca8f01f98519f31f1dafad8f4262443e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Yubikey in WSL2 Ubuntu.md

WSL does now have native support for USB devices, which means it can't detect the Yubikey plugged into your computer. It seems like USB support will come soon, but for now we need to use a workaround.

The workaround consists in exposing a GPG socket from Windows to your WSL Linux instance. That way, your WSL's gpg command will connect to your Windows's gpg software and will be able to detect your USB Yubikey.

  1. Install GnuPG on Windows

  2. Install Putty on Windows

  3. Run the following 2 commands in Powershell to create your GPG conf file:

    # In Poweshell
mkdir $env:APPDATA/gnupg
Add-Content -Path $env:APPDATA/gnupg/gpg-agent.conf -Value "enable-putty-support`r`nenable-ssh-support"

mkdir $env:LOCALAPPDATA/gnupg
Add-Content -Path $env:LOCALAPPDATA/gnupg/gpg-agent.conf -Value "enable-putty-support`r`nenable-ssh-support"

  4. If you connect your Yubikey now, you should be able to see it from Windows if you run the following command from Powershell:

    # In Poweshell
gpg --card-status

    You should also see the Yubikey inside the "Smartcards" tab of the Kleopatra app that was installed together with GnuPG.

  5. Now that GPG can see your Yubikey on Windows, it's time to expose it to your WSL Linux. First, install socat in your WSL Linux:

    # In WSL
sudo apt install socat

  6. Now let's install wsl-ssh-pageant using the instructions from their README:

    # In WSL
windows_destination="/mnt/c/Users/Public/Downloads/wsl2-ssh-pageant.exe"
linux_destination="$HOME/.ssh/wsl2-ssh-pageant.exe"
wget -O "$windows_destination" "https://github.com/BlackReloaded/wsl2-ssh-pageant/releases/latest/download/wsl2-ssh-pageant.exe"
# Set the executable bit.
chmod +x "$windows_destination"
# Symlink to linux for ease of use later
ln -s $windows_destination $linux_destination

  7. Finally, add the following config to your .bashrc file. You can open it in vscode from WSL with code ~/.bashrc. IMPORTANT: Replace YOUR-WINDOWS-USERNAME-HERE with your Windows username folder.

    # WSL2-SSH-PAGEANT config
# https://github.com/BlackReloaded/wsl2-ssh-pageant
# https://github.com/BlackReloaded/wsl2-ssh-pageant/issues/37
export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"
if ! ss -a | grep -q "$SSH_AUTH_SOCK"; then
   rm -f "$SSH_AUTH_SOCK"
   wsl2_ssh_pageant_bin="$HOME/.ssh/wsl2-ssh-pageant.exe"
   if test -x "$wsl2_ssh_pageant_bin"; then
      (setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin" >/dev/null 2>&1 &)
   else
      echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
   fi
   unset wsl2_ssh_pageant_bin
fi

export GPG_AGENT_SOCK="$HOME/.gnupg/S.gpg-agent"
if ! ss -a | grep -q "$GPG_AGENT_SOCK"; then
   rm -rf "$GPG_AGENT_SOCK"
   wsl2_ssh_pageant_bin="$HOME/.ssh/wsl2-ssh-pageant.exe"
   if test -x "$wsl2_ssh_pageant_bin"; then
      (setsid nohup socat UNIX-LISTEN:"$GPG_AGENT_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin -gpgConfigBasepath 'C:/Users/YOUR-WINDOWS-USERNAME-HERE/AppData/Local/gnupg' -gpg S.gpg-agent" >/dev/null 2>&1 &)
   else
      echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
   fi
   unset wsl2_ssh_pageant_bin
fi

  8. Now restart your PC just be sure (or just restart WSL with wsl --shutdown from Powershell)

  9. On your WSL Linux, you should now be able to see the Yubikey from GPG:

    # On WSL
gpg --card-status
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment