Prerequisites: You already have a GPG private key with an authentication subkey.

Setup #

1. Install Gpg4win #

Download and install Gpg4win, making sure to include Kleopatra in the installation.

2. Import Your GPG Key #

Open Kleopatra and import your GPG private key (the one containing your auth subkey).

3. Enable SSH Support in Kleopatra #

Go to Settings → Configure Kleopatra → GnuPG System → Private Keys and enable SSH support.

4. Enable Win32 OpenSSH Support #

Navigate to %AppData%\Roaming\gnupg and open gpg-agent.conf. Add the following line:

enable-win32-openssh-support

5. Restart the GPG Agent with Kleopatra #

Go to Tools → Restart Background Processes

6. Initialize the sshcontrol File #

Run the following command — this causes the agent to create the sshcontrol file in your %AppData%\Roaming\gnupg folder:

1ssh-add -L

7. Find Your Auth Subkey's Keygrip #

1gpg --with-keygrip --list-keys

Locate the entry marked [A] (your authentication subkey) and copy its Keygrip value.

8. Register the Keygrip #

Open %AppData%\Roaming\gnupg\sshcontrol and add the keygrip on its own line. Make sure there are no trailing spaces or extra blank lines at the end of the file.

9. Verify #

1ssh-add -L

This should now output the public key corresponding to your GPG auth subkey. You can add this public key to any server's ~/.ssh/authorized_keys.

Troubleshooting #

error fetching identities: agent refused operation #

This usually means the sshcontrol file or agent state is out of sync. Reset it cleanly:

1. Close Kleopatra, then kill the agent:

1gpgconf --kill gpg-agent

1. Delete %AppData%\Roaming\gnupg\sshcontrol.

2. Reopen Kleopatra to restart the agent.

3. Confirm the agent is running with an empty identity list:

1ssh-add -L
2# Expected: "The agent has no identities."

1. Add your keygrip back to the newly created sshcontrol file and save (no trailing spaces or newlines).

2. Confirm your public key is now registered:

1ssh-add -L
2# Expected: your GPG auth subkey's public key