Skip to content

Instantly share code, notes, and snippets.

@rmtsrc

rmtsrc/Shared-Windows-WSL-SSH-GPG-key-agents.md

Last active August 6, 2024 07:57
Show Gist options
  • Save rmtsrc/d1a1e6b5310677ca952a7c5c1c4b9cf7 to your computer and use it in GitHub Desktop.
Save rmtsrc/d1a1e6b5310677ca952a7c5c1c4b9cf7 to your computer and use it in GitHub Desktop.
Download ZIP
Automatically unlock your password protected SSH/GPG keys on Windows and WSL persisted across restarts
Raw
Shared-Windows-WSL-SSH-GPG-key-agents.md

Shared Windows/WSL SSH/GPG key agents

By default, SSH and GPG key agents are not shared between Windows and WSL.

This means that by default if your SSH/GPG keys are encrypted with a password, you will be prompted for them each time unless you add them a key agent on both Windows and WSL.

Using win-gpg-agent allows you to add your SSH and GPG keys to the agent and also allows you to save your password, so that you don't need to enter it each time for each platform or after a restart. While keeping it secured via password encryption on disk and protected by your Windows account.

Disable Windows ssh-agent (if enabled)

  1. Press the Windows key and search for "Services"
  2. Scroll down to "OpenSSH Authentication Agent" and double click
  3. Change "Startup type" to "Disabled" (if not already)
  4. Press "Stop" (if service is running)
  5. Press OK

Install & setup GnuPG/win-gpg-agent/ssh-agent

  1. Open Windows Terminal and enter winget install GnuPG.GnuPG

  2. Download:

  3. Extract both into "C:\win-gpg-agent"

  4. Double click agent-gui.exe to start the key agent

  5. Press Windows+E and change address/location to: %AppData%\Microsoft\Windows\Start Menu\Programs\Startup

  6. In C:\win-gpg-agent right click agent-gui.exe and drag drop into the Startup folder choosing "Create shortcut here"

  7. Open Windows Terminal click the down arrow next to the plus on the tab bar and choose Ubuntu or Debian

  8. Run mkdir ~/.ssh

  9. In WSL/Ubuntu/Debian add the following to your profile i.e. via nano ~/.bashrc (or nano ~/.zshrc) and update the paths to match your machine:

    export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock
ss -a | grep -q $SSH_AUTH_SOCK
if [ $? -ne 0   ]; then
    rm -f $SSH_AUTH_SOCK
    ( setsid socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:"/mnt/c/win-gpg-agent/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork & )
fi

export GPG_SOCK=$HOME/.gnupg/S.gpg-agent
ss -a | grep -q $GPG_SOCK
if [ $? -ne 0   ]; then
    rm -f $GPG_SOCK
    ( setsid socat UNIX-LISTEN:$GPG_SOCK,fork EXEC:"/mnt/c/win-gpg-agent/sorelay.exe -a c\:/Users/Seb/AppData/Local/gnupg/S.gpg-agent",nofork & ) >/dev/null 2>&1
fi

Create/add keys to agent

  1. If you've not already done, see Generating a new SSH key and Generating a new GPG key set secure passwords for both and follow the guide to add them to your GitHub account
  2. Add them to the key agents via ssh-add (in PowerShell) and gpg --import <your-gpg-file> (in PowerShell & WSL). You should be prompted to save your key passwords via GnuPG/win-gpg-agent
  3. Restart computer and after the GUI wrapper icon appears in the system tray, check that the following still works in both PowerShell and WSL Terminal:
    • ssh-add -l
    • ssh -T [email protected]
    • gpg --list-secret-keys --keyid-format=long
    • gpg-connect-agent 'keyinfo --list' /bye
  4. Use gpg --list-secret-keys --keyid-format=long to find your GPG key ID sec 4096R/YOUR-KEY-ID-APPEARS-HERE
  5. Add it to your gitconfig via git config --global user.signingkey YOUR-KEY-ID
  6. Run in Windows PowerShell git config --global gpg.program "C:\Program Files (x86)\GnuPG\bin\gpg.exe" to enable Git commit signing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment