These steps have been tested on MacOS. Linux should be similar if not the same. Good luck on Windows
- If you are already using a GPG key to sign git commits or packages, it's one less key to securely backup.
- GPG keys can be stored on OpenPGP Smart Cards like the YubiKey
Skip this step if you already have one that supports authentication
- Run the following command
gpg --expert --full-generate-key
-
Select what ever type you want to use, as long as that type supports Authentication
I selected
ECC (set your own capabilities)
(Options below are specific to this type of key) -
Make sure the Authenticate capability is selected
I selected
Sign Certify Authenticate
-
Select an eliptic curve you wish to use
I selected
Brainpool P-512
but you may want to use another -
Set an expiry
-
Enter in your name, email, and a comment
-
Generate the key and set a passphrase if desired/required
- Run the following to add
enable-ssh-support
to~/.gnupg/gpg-agent.conf
echo enable-ssh-support >> ~/.gnupg/gpg-agent.conf
you may want to tell gpg what keys to use for ssh authentication, this way you wont need to use ssh-add
to add them
to do this, you will add the keygrip for your gpg key to ~/.gnupg/sshcontrol
- Run the following to get the keygrip identifier for your gpg key
gpg2 -K --with-keygrip
- Copy the keygrip (the hexadecimal string after
Keygrip =
from the above command) and send it to~/.gnupg/sshcontrol
echo <keygrip> >> ~/.gnupg/sshcontrol
-
Get the output from
gpgconf --list-dirs agent-ssh-socket
-
Add the following to your
~/.ssh/config
file, either add the whole section if it does not already exist, or append theIdentityAgent
andAddKeysToAgent
to another section
Host *
IdentityAgent <gpgconf output>
AddKeysToAgent yes
add the following to the end of either your ~/.bashrc
, ~/.zshrc
(or equivalent) or ~/.profile
gpg-agent --daemon
add the following to the end of either your ~/.bashrc
, ~/.zshrc
(or equivalent) or ~/.profile
gpg-agent --daemon > /dev/null 2>&1
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)