Using gpg-agent

From Sidiprojects Wiki
Revision as of 23:33, 12 November 2015 by David (talk | contribs)
Jump to navigation Jump to search

Unfinished

The two key things missing from all extant guides for using gpg-agent rather than ssh-agent are: specification of the pinentry program, and setting SSH_AUTH_SOCK. You'll also need to add your key using ssh-add, and set nice timeouts.

generate your keys

Use the guide on secure secure shell in PrivacyGroup#other tools to generate strong keys.

getting gpg-agent to run on startup with ssh support

Copy this to .gnupg/gpg-agent.conf: 

 enable-ssh-support

setting good timeouts

Copy this to .gnupg/gpg-agent.conf: 

 default-cache-ttl-ssh 28800
 max-cache-ttl-ssh 43200

setting pinentry and other options for gpg-agent

Copy this to .gnupg/gpg-agent.conf: 

 pinentry-program /usr/bin/pinentry-gtk-2

modifying .xsessionrc

Add this to $HOME/.xsessionrc (some may not be necessary; I will update this): 

 GPGAGENT=/usr/local/bin/gpg\-agent
 envfile="$HOME/.gnupg/gpg-agent.env"
 if -e "$envfile"  && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
   eval "$(cat "$envfile")"
   echo ran $(cat "$envfile") >> $HOME/gpgagent_debug
 else
   eval "$($GPGAGENT --daemon --enable-ssh-support --write-env-file "$envfile")"
   #echo did $GPGAGENT --daemon --enable-ssh-support --write-env-file "$envfile" >> $HOME/gpgagent_debug
 fi
 export GPG_AGENT_INFO  # the env file does not contain the export statement
 unset SSH_AGENT_PID
 if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
   export SSH_AUTH_SOCK="${HOME}/.gnupg/S.gpg-agent.ssh"
   #echo did export SSH_AUTH_SOCK=$SSH_AUTH_SOCK >> $HOME/gpgagent_debug
 fi

After restarting (or just restarting X, if you know how...), do 

 gpg-agent

on its own to tell if the agent is running.

Retrieved from "https://sidiprojects.us/w/index.php?title=Using_gpg-agent&oldid=213"