Skip to content

Instantly share code, notes, and snippets.

@yusufhm

yusufhm/gpg-ssh-agent.md

Created March 3, 2026 23:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save yusufhm/e2e2c998bad0a574cff6e9e47454c80c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save yusufhm/e2e2c998bad0a574cff6e9e47454c80c to your computer and use it in GitHub Desktop.
Download ZIP
GPG + SSH Agent Setup in Termux
Raw
gpg-ssh-agent.md

GPG + SSH Agent Setup in Termux

This document contains the final, working steps for:

  • Creating a modern GPG keyring
  • Adding an SSH authentication subkey
  • Enabling gpg-agent SSH support
  • Exposing the key via ssh-agent compatibility
  • Backing up the keyring safely

Tested with GnuPG 2.5.x in Termux.

1. Install Required Packages

pkg update
pkg install gnupg openssh

2. Generate Primary GPG Key

Create a modern ECC key:

gpg --full-generate-key

Choose:

(9) ECC (sign and encrypt)

Follow prompts and set a strong passphrase.

3. Add SSH Authentication Subkey

First get your full fingerprint:

gpg --list-secret-keys --with-subkey-fingerprint

Copy the full 40-character fingerprint.

Add an authentication-only subkey:

gpg --quick-add-key FULL_FINGERPRINT ed25519 auth

Verify it exists:

gpg --list-secret-keys

You should see:

ssb   ed25519  [A]

4. Enable SSH Support in gpg-agent

Create or edit:

~/.gnupg/gpg-agent.conf

Add:

enable-ssh-support
default-cache-ttl-ssh 300
max-cache-ttl-ssh 900

Restart the agent:

gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

5. Expose SSH Socket to OpenSSH

Add to your shell config (~/.bashrc or ~/.zshrc):

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

Reload shell:

source ~/.bashrc

6. Allow the Authentication Key for SSH

GnuPG 2.5 requires explicit approval of SSH keys.

Get keygrips:

gpg --list-secret-keys --with-keygrip

Find the keygrip for the [A] subkey.

Create or edit:

~/.gnupg/sshcontrol

Add the authentication subkey keygrip (one per line).

Example:

1234567890ABCDEF1234567890ABCDEF12345678

Restart agent again:

gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

7. Verify SSH Integration

Check identities:

ssh-add -L

You should see:

ssh-ed25519 AAAA...

You can also export manually:

gpg --export-ssh-key FULL_FINGERPRINT

Add this public key to your Git hosting provider or servers.

8. Optional: Manual Lock Alias

Add to shell config:

alias lockssh='gpgconf --kill gpg-agent'

Run:

lockssh

9. Backup Strategy (CRITICAL)

Recommended: Full Directory Backup

tar czf gnupg-backup.tar.gz ~/.gnupg

Store securely offline.

Also Export Armored Secret Keys

gpg --export-secret-keys --armor FULL_FINGERPRINT > private-keys.asc

Optional:

gpg --export-ownertrust > ownertrust.txt

10. Restore Procedure

On a new device:

rm -rf ~/.gnupg
tar xzf gnupg-backup.tar.gz -C ~
chmod 700 ~/.gnupg
gpgconf --kill gpg-agent

SSH integration will work immediately.

Final Result

You now have:

  • Modern ECC GPG primary key
  • Dedicated SSH authentication subkey
  • gpg-agent acting as ssh-agent
  • Auto-expiring SSH cache
  • Clean backup & restore process

This setup works natively inside Termux without external password managers or traditional ssh-agent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment