Windows Forward GPG

Forward your gpg-agent to a linux machine for signing and encrypt/decrypt operations. This is currently only possible using WSL, not Putty.

First a USB WSL bridge is setup with a GPG relay enabling GPG usage in WSL. GPG may be forwarded from WSL to other Linux machines.

Bridges must be created until Windows WSL supports USB passthru.


Fowarding gpg-agent credentials should ONLY be done on trusted machines. See recent security breach.

Using GPG relay on the local machine is safer, but not ideal.


Setup GPG Relay in WSL

Required Materials

  1. npiperelay downloaded. Verify Integrity.

  2. wsl-ssh-pageant Verify Integrity.

  3. Recent Linux Distro on WSL2 installed. See Windows Subsystem for Linux (WSL).

  4. Putty installed.

  5. Pre-configured Yubikey using Export GPG Subkeys to Yubikey.

Install WSL USB Bridges on Windows

Windows does not support sockets. These utilities provide UNIX sockets to WSL systems; which utimately enable the use of Yubikeys.

  1. Copy the latest npiperelay to %appdata%\npiperelay\npiperelay.exe

  2. Copy the latest wsl-ssh-pageant to %appdata%\wsl-ssh-pageant\wsl-ssh-pageant-amd64-gui.exe

  3. Enable Putty Support, see Configure GPG Agent

Restart gpg-connect-agent to pickup putty support, if changed.
gpgconf --kill gpg-agent
gpg-connect-agent /bye

Install GPG Relay on WSL

This script will setup a GPG relay daemon using the USB socket bridge setup above. Download the script.


Review this script. Never blindly execute Internet scripts.

Create gnupg empty directory.
mkdir ~/.gnupg
chmod 0700 ~/.gnupg
From your WSL instance.
mkdir -p ~/.local/bin
wget -O ~/.local/bin/gpg-agent-relay
chmod +x ~/.local/bin/gpg-agent-relay
0600 {USER} {USER} ~/.bashrc
$HOME/.local/bin/gpg-agent-relay start
export SSH_AUTH_SOCK=$HOME/.gnupg/S.gpg-agent.ssh

Logout and Login

Verify GPG relay works.
gpg-agent-relay status
gpg --card-status

Forward GPG to Linux

GPG Agent Forwarding requires gnupg > 2.1.17 on both machines.


Fowarding gpg-agent credentials should ONLY be done on trusted machines. See recent security breach. Here be dragons.

Determine Sockets

Find your extra socket on your local machine.
gpgconf --list-dir agent-extra-socket
Find the socket on the remote machine.
gpgconf --list-dir agent-socket

Update SSHD Config

The remote system needs to be updated to force removal of sockets before creating new ones; which will enable automatic forwarding of gpg-agent. Without this the socket will manually need to be re-created every login.

0600 root root /etc/ssh/sshd_config
StreamLocalBindUnlink yes

Restart SSHD.

Create GPG Tunnel Config

0600 {USER} {USER} ~/.ssh/config

Connect using the ssh config remote name.


--notify-await message on start

Your WSL instance does not support socket notification of a service starting. You will need to modify the gpg-agent-relay script to work for your distribution or find another WSL distribution to run.

gpg: error retrieving {GPGID} via WKD: General error

You need to import your {GPGID} public key into the local keyring to use it.

Import your public key. Either use keybase, keyservers, or exported key. | gpg --import
Optionally fully trust your key. If you are certain it is valid.
$ gpg --list-keys
$ gpg --edit-key {KEY ID}

> trust
> 5
> quit


  1. gpg-agent-relay

  2. Yubikey, GPG, WSL1