Since gpg-agent isn't used for ssh authentication on Ubuntu, and there are indeed 2 different daemons vying for the job, it can get complicated to figure out how to untangle the distro and step the agent into his rightful position.

This is simple once you know exactly which knobs to frob; in this case there are 3:

  • Tell Xsession initialization to not start ssh-agent
  • Tell Gnome init not to start the gnome keyring
  • Enable ssh agent emulation support on gpg-agent

Using gpg for encryption on Linux is an important way to store PKI keys in hardware-backed security modules like a Yubikey, or a more traditional smartcard. Using an agent is also an important way to securely make the authentication process more convenient.

After installing gnupg, the tooling, libraries, and daemons will be installed including the gpg-agent these changes will bring the agent online for use. You've probably already done this if you have your keys created and ready to go, there are plenty of great guides describing that process.


Running the ssh-agent daemon will interfere with running gpg-agent with its ssh agent capability.

Edit this file to change the line use-ssh-agent to no-use-ssh-agent.

This system is inherited from Debian (on which Ubuntu is based), where while looking for a good place to start the venerable ssh-agent daemon, the maintainers decided during the X session initialization itself would fit nicely. Changing that config option signals the initialization process to skip that step.


This file starts the gnome keyring, which will also interfere with gpg-agent.

Copy this to ~/.config/autostart/gnome-keyring-ssh.desktop and add a line Hidden=true to disable this autostart for your user account only.


Create this if it doesn't exist, and add the line enable-ssh-support.

Besides the agent and tools, the installation process also installs systemctl user units to manage these daemons via systemctl (see /usr/lib/systemd/user/gpg-agent.service). Running $ systemctl --user status gpg-agent will show the status of gpg-agent, while $ systemctl --user reload gpg-agent can be used to have the daemon reload config changes.

There is also a unit gpg-agent-ssh.socket which creates and mediates connections to the gpg-agent socket which speaks ssh-agent. This means that the socket is always created, but the above setting causes the SSH_AUTH_SOCK environment variable–which ssh tools use to find the agent–to be appropriately set, and tells the agent to listen.


Since these daemons all get setup during the start of your login, simply log out of your X session and log back in to have everything working right without a restart (often ctrl-alt-backspace, mod+shift+e for default i3wm).

Execute ssh-add -l to see if your gpg keys are now available for ssh authentication.

A lot of other instructions out there have old or unnecessary steps, I found this was sufficient to get the setup working correctly.