SSH with GPG



So apparently you can use GPG to provide SSH keys. Who knew! It’s useful if you need to use OpenPGP-compatible security keys or smart cards with SSH. (e.g. nitrokey, librem key, yubikey)


You will need to use gpg-agent as an SSH agent.

gpg-agent configuration

It first needs configuring to do so (it fails pretty late if you don’t configure this, so set it now to avoid difficult-to-debug hedaches).

You can either edit ~/.gnupg/gpg-agent.conf manually, adding this:


…or, you can use the gpgconf utility, which seems to be the “proper way”. As is traditional for GPG tools, it has the most arcane possible syntax for the task at hand:

echo enable-ssh-support:0:1 | gpgconf --change-options gpg-agent


You will need to install pcscd and run it (or enable its socket in systemd). It is part of the pcsclite package on arch linux.

It seems like there are also other compatible smart card daemons, such as scdaemon, which seem to work equally well.

Using ssh with gpg in the first place

It requires a bit of environment setup. I prefer the original ssh agent for now (I don’t trust gpg-agent with importing my keys, because online the consensus seems to be that nobody has any clue where they’re copied to or how to change their password). So to keep the original ssh-agent usable while also using gpg-agent for ssh sometimes, I have created a script that will set up the necessary environment to run ssh with gpg’s agent. It launches a gpg-agent (implicitly) and sets the agent’s tty to the current one. Not sure exactly what that does but apparently it’s necessary sometimes.

The script will launch whatever command you give to it, e.g. ssh-gpg ssh server or ssh-gpg ssh-add -L. This means you can keep your normal ssh-agent setup active while still using this script.

Some setups prompt for a pin through the terminal. That seems like a bad idea if you’re ever going to use ssh agent forwarding. Probably best to use GUI pin entry where possible.

Updated 2021-12-15.