Windows, GnuPG, ssh, github, ...

Marko Božiković bozho at
Thu Jun 25 15:36:41 CEST 2015

Hi all,

Apologies for a long post :)

I haven't used gpg in years and recently I've picked it up with renewed
interest for many different reasons.

My initial goal would be to use gpg for ssh and github authentication
(currently covered by ssh keyfiles and putty pageant). The intermediate goal
would be to use duplicity for secure cloud backup of personal data and my end
goal would be to use a physical token (yubikey or something similar) to handle
my keyrings, passwords, etc...

I've started working on the initial goal of having gpg-agent replace putty
pageant and ssh-agent (for Cygwin's OpenSSH, which I prefer to putty) on my
Windows machines. It's been nearly impossible to find all of the information I
need in one place, but I think I've managed to piece together enough bits(ha!)

Gpg on Windows should work with putty out of the box - if I understood
correctly, Gpg4Win for 2.0.X and the official 2.1.x builds support putty
interop. ssh-pageant provides a "bridge" that enables OpenSSH to talk to
gpg-agent on Windows.

Now, there is one bit I don't quite understand why things work the way they
do... I've reduced the process to these steps (on 2.0.X):

1. create a master S, C key, 4096 RSA
2. create an A subkey, 4099 RSA
3. configure gpg-agent to run with putty support
4. run gpg-agent
-> run Cygwin bash
5. start ssh-pageant (using dev's instructions)
6. running 'ssh-add -l' returns no identities

At this point, I would expect gpg-agent to serve my authentication pubkey as
an identity. I haven't tried using gpg-agent as an ssh-agent on Linux yet, but
I don't suspect this is a Windows-specific issue/thing, since I can make
gpg-agent serve my pubkey using following steps:

7. export my subkey
8. use monkeysphere's openpgp2ssh to convert the key to SSH format (this one
is inconvenient if you're on a Windows machine since there is no Win port of
9. while pgp-agent and ssh-pagenat are running, run ssh-add <subkey_file> to
add the key to gpg-agent.
10. as a result, the key is imported into private-keys-v1.d directory and
added to sshcontrol file.
11. running ssh-add -l after that produces the desired output

My question is basically: what are the reasons that make these additional
steps necessary? Why is it necessary to export my authentication key and
import it into slightly different location in order for it to get serverd by
gpg-agent? It only makes subkey management more difficult.

I did find writeups with people mentioning that the things work with steps 1-6
if a smartcard is used to store the keyring, but the additional steps (7-11)
are needed if keyrings are stored on a disk, but nobody explains why.

Or am I doing something wrong? :)

Thnak you,

More information about the Gnupg-users mailing list