https://github.com/x70b1/pam_exec-gpg

Unlock GnuPG keys keys on login using PAM.
https://github.com/x70b1/pam_exec-gpg

gpg pam

Last synced: 6 months ago
JSON representation

Unlock GnuPG keys keys on login using PAM.

• Host: GitHub
• URL: https://github.com/x70b1/pam_exec-gpg
• Owner: x70b1
• License: unlicense
• Created: 2021-11-22T23:53:11.000Z (almost 4 years ago)
• Default Branch: master
• Last Pushed: 2025-03-18T21:42:15.000Z (7 months ago)
• Last Synced: 2025-03-27T14:01:43.709Z (6 months ago)
• Topics: gpg, pam
• Language: Shell
• Homepage:
• Size: 10.7 KB
• Stars: 1
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# pam_exec-gpg

[![Actions](https://github.com/x70b1/pam_exec-gpg/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/x70b1/pam_exec-gpg/actions)

[![Contributors](https://img.shields.io/github/contributors/x70b1/pam_exec-gpg.svg)](https://github.com/x70b1/pam_exec-gpg/graphs/contributors)

[![License](https://img.shields.io/github/license/x70b1/pam_exec-gpg.svg)](https://github.com/x70b1/pam_exec-gpg/blob/master/LICENSE)

Unlock GnuPG keys keys on login using PAM.

[pam-gnupg](https://github.com/cruegge/pam-gnupg) is an awesome project too.

## Installation

For Arch Linux users is already a [pam_exec-gpg-git](https://aur.archlinux.org/packages/pam_exec-gpg-git/) package in the AUR.

Otherwise just copy the script, set the permissions and install `pam`.

```sh

cp pam_exec-gpg /usr/bin/pam_exec-gpg

chown root:root /usr/bin/pam_exec-gpg

chmod 755 /usr/bin/pam_exec-gpg

```

## Configuration

You need a running `gpg-agent` and the agent have to be started before you login.

Take a look at the wiki how to [configure gpg-agent](https://wiki.archlinux.org/title/GnuPG#gpg-agent).

There are several locations that are checked for a config file:

* `~/.gnupg/pam_exec-gpg`

* `~/.gnupg/pamcontrol`

* `~/.config/gnupg/pam_exec-gpg`

* `~/.config/gnupg/pamcontrol`

A config file should contain the keygrips, one per line.

Comments `#` are allowed.

Add the PAM call to your config:

```

auth		optional	pam_exec.so expose_authtok /usr/bin/pam_exec-gpg

```

To make sure that your keys are locked again you can restart your `gpg-agent`.

A good time to do this is when you lock your screen.

This means all keys are locked when you leave your device but the agent is still prepared for the next use.