Socket redirection with GPG

Recently, I had a scenario where my .gnupg directory was being hosted in a Docker volume instead of the standard home directory on Linux. For those that may not be aware, the default GPG directory can be changed by defining the environment variable GNUPGHOME with a different directory. However, because the sockets that GPG was using were now being persisted across containers, I was getting errors from the gpg-agent.

After some research, I discovered that GPG supports changing where it stores its socket files, by providing a redirection in place of the socket files themselves.

There are several of these files that need to be updated for redirection:

  • S.gpg-agent
  • S.gpg-agent.browser
  • S.gpg-agent.extra
  • S.gpg-agent.ssh

These are described as follows in the GnuPG ArchWiki:

  • The main gpg-agent.socket is used by gpg to connect to the gpg-agent daemon.
  • The intended use for the gpg-agent-extra.socket on a local system is to set up a Unix domain socket forwarding from a remote system. This enables to use gpg on the remote system without exposing the private keys to the remote system. See gpg-agent(1) for details.
  • The gpg-agent-browser.socket allows web browsers to access the gpg-agent daemon.
  • The gpg-agent-ssh.socket can be used by SSH to cache SSH keys added by the ssh-add program. See #SSH agent for the necessary configuration.
  • The dirmngr.socket starts a GnuPG daemon handling connections to keyservers.

To add support for socket redirection, we need to both update the GPG configuration and create three other files…

For S.gpg-agent.extra and S.gpg-agent.browser, add the following to the .gnupg/gpg-agent.conf file (create the file if it doesn’t already exist):

extra-socket /var/run/S.gpg-agent.extra
browser-socket /var/run/S.gpg-agent.browser

For S.gpg-agent, S.gpg-agent.ssh and S.dirmngr, create three separate files:

$ printf '%%Assuan%%\nsocket=/var/run/S.gpg-agent\n' > ${GNUPGHOME}/S.gpg-agent

$ printf '%%Assuan%%\nsocket=/var/run/S.gpg-agent.ssh\n' > ${GNUPGHOME}/S.gpg-agent.ssh   

$ printf '%%Assuan%%\nsocket=/var/run/S.dirmngr\n' > ${GNUPGHOME}/S.dirmngr 

In the above, you can see we are now using /var/run as the new socket location. I’m also assuming that you’ve previously set the GNUPGHOME environment variable. If not, then substitute your .gnupg directory instead.

Once complete you will want to restart the gpg-agent:

gpg-connect-agent reloadagent /bye  
Helpful References:

Leave a Reply