Recipe: GPG-agent forwarding

This is heavily inspired by but is going to be friendlier


You need at least GnuPG 2.1.1 on both systems. To find out which one you have, simply run

%> gpg --version

For this recipe you also need OpenSSH >= 6.7. (If you have a version older than that refer to the wiki article mentioned above.) To find out which one you have, simply run

%> sshd --version

Put your key on the remote

Assuming you have a local private gpg key, run

%> gpg --armor --export <KEYNAME> > <FILENAME>

Then copy the public key to the remote host.

Then, on the remote host, import it into gpg.

%> gpg --import <FILENAME>

More on this here:

gpg-agent forwarding configuration

On the local machine $HOME/.gnupg/gpg-agent.conf and add

extra-socket /home/<user>/.gnupg/S.gpg-agent.extra

I am not quite certain the enable-ssh-support is actually required but it worked for me and I did not try without it.

On the local machine, run:

%> gpgconf --list-dir agent-extra-socket

This is the CLIENT_SOCKET.

On the remote, run:

%> gpgconf --list-dir agent-socket

This is the REMOTE_SOCKET.

Edit ~/.ssh/config (you can tweak HOST for your own usage)

    StreamLocalBindUnlink yes

Test it

Connect to the remote server via ssh. Run:

%> gpg --no-autostart -K

You should see your key.


This has been very flaky in my case so I have to fiddle with it every now and then. (I doubt that StreamLocalBindUnlink is not getting the job done.)

On the remote, run:

%> gpg --no-autostart -K

If you get no output or “gpg: no gpg-agent running in this session”, then run:

%> gpgconf --launch gpg-agent
%> gpgconf --kill gpg-agent

Log out / login and try again. In my case it works then.

To further debug and make sure your ssh agent is creating the socket file on the remote host, run:

%> ls -l <REMOTE_SOCKET>

and see if the timestamp is the current time (assuming you just connected).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.