envoyr

YubiKey GPG inside WSL2

This tutoriall will explain you how to use the YubiKey inside a WSL2 instance.

Install GPG4Win.

Start up Kleopatra and make sure your YubiKey is loaded there.

You can also add GPG4Win to Startup folder using a link with this Target:

"C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe" /bye

This will only load the agent at Startup, and you won’t be bothered by any UI or tray agent.

Download wsl2-ssh-pageant

Put it into your Windows %userprofile%/.ssh directory (Windows dir is important for performance).

Install socat and gpg inside WSL as you would in a “normal” distro, e.g.

sudo apt-get install -y gnupg gnupg-agent socat
Create profile

Create a ~/.bash_profile or ~/.zprofile (for ZSH) inside WSL:

### https://github.com/BlackReloaded/wsl2-ssh-pageant#bashzsh
WIN_USER="<your_windows_username_here>"
SSH_DIR="${HOME}/.ssh" #
mkdir -p "${SSH_DIR}"
wsl2_ssh_pageant_bin="${SSH_DIR}/wsl2-ssh-pageant.exe"
ln -sf "/mnt/c/Users/${WIN_USER}/.ssh/wsl2-ssh-pageant.exe" "${wsl2_ssh_pageant_bin}"

listen_socket() {
  sock_path="$1" && shift
  fork_args="${sock_path},fork"
  exec_args="${wsl2_ssh_pageant_bin} $@"

  if ! ps x | grep -v grep | grep -q "${fork_args}"; then
    rm -f "${sock_path}"
    (setsid nohup socat "UNIX-LISTEN:${fork_args}" "EXEC:${exec_args}" &>/dev/null &)
  fi
}

# SSH
export SSH_AUTH_SOCK="${SSH_DIR}/agent.sock"
listen_socket "${SSH_AUTH_SOCK}"

# GPG
export GPG_AGENT_SOCK="${HOME}/.gnupg/S.gpg-agent"
listen_socket "${GPG_AGENT_SOCK}" --gpg S.gpg-agent

# GPG extra for agent forwarding to devcontainers in VS Code
export GPG_AGENT_SOCK_EXTRA="${HOME}/.gnupg/S.gpg-agent.extra"
listen_socket "${GPG_AGENT_SOCK_EXTRA}" --gpg S.gpg-agent.extra

unset wsl2_ssh_pageant_bin
###

You can also create this file inside a C: drive and then create a symlink to it, e.g.

ln -s ~/.zprofile /mnt/c/WSL/scripts/.zprofile

which enables sharing of the same file across multiple WSL distros.

Log out and back into WSL.

Import Key

Import your GPG key(s) inside WSL, just as you normally would.

You’re now ready to go!

Inspired by dinvlad/YubiKey GPG inside WSL2.md

Psst, you want to know how Git Sign with GPG inside WSL2 works? Take a look!