Using a GnuPG crypted RSA key for SSH

Matthias Apitz guru at
Thu May 2 13:58:37 CEST 2024

El día jueves, mayo 02, 2024 a las 07:44:04 -0400, Henning Follmann escribió:

> On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote:
> > El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via Gnupg-users escribió:
> > 
> > > ...
> > > On Linux take care to add "enable-ssh-support" to gpg-agent.conf because
> > > on some distros the X config greps for this to decide whether to start
> > > the ssh-agent or leave this to gpg-agent.  Technically the ssh support is
> > > always enabled and thus the option is not really required.
> > 
> [deleted]
> I do not know what you did, but that looks like a mess
> Your pinentry was working before (I guess) and you should not change
> anything there.
> And there is no need for using trace - way too complicated!
> as Werner said add 
> enable-ssh-support
> to your ~/.gnupg/gpg-agent.conf

I have had this in that file (as I said in my last mail)

> You might also create a ~/.gnupg/sshcontrol and add the keygrip of your
> authentication subkey in there
> and then finally tell ssh where to find the ssh-agnet socket. gpg will tell
> you that by:
> gpgconf --list-dirs agent-ssh-socket
> just put 
> export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

I have had this too.

> in your ~/.bashrc
> and because gpg-agent does not usually run as deamon make shure it is
> running before you use ssh
> gpgconf --launch gpg-agent

gpg-agent was always there, started by system boot.

> You also could add that to your .bashrc

The missing piece to get it working now was tell gpg-agent the correct
TTY with:

gpg-connect-agent updatestartuptty /bye

which perhaps gpg command does, but ssh can't.

Thanks for all the hints I got.


Matthias Apitz, ✉ guru at, +49-176-38902045
Public GnuPG key:

I am not at war with Russia.  Я не воюю с Россией.
Ich bin nicht im Krieg mit Russland.

More information about the Gnupg-users mailing list