The ultimate guide to Yubikey on WSL2 [Part 2]

Jaroslav Živný
3 min readFeb 15, 2021


In the Previous part we configured OpenGPG with Yubikey. In case you have it done, we can continue on how to access your YubiKey in WSL2.

Disclaimer: This tutorial is written for WSL2 with Ubuntu. It may differ distro from distro.

Access your YubiKey in WSL2


Install socat and wsl2-ssh-pageant in WSL:

# WSL2
$ sudo apt install socat scdaemon
$ mkdir ~/.ssh
$ wget -O ~/.ssh/wsl2-ssh-pageant.exe
$ chmod +x ~/.ssh/wsl2-ssh-pageant.exe

Sync sockets

This part is inspired by this tutorial.

Edit your ~/.bashrc or `~/.zshrc` — depends on your shell (e.g. via nano or vim) and add following content:

# SSH Socket
# Removing Linux SSH socket and replacing it by link to wsl2-ssh-pageant socket
export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"
if ! ss -a | grep -q "$SSH_AUTH_SOCK"; then
rm -f "$SSH_AUTH_SOCK"
if test -x "$wsl2_ssh_pageant_bin"; then
(setsid nohup socat UNIX-LISTEN:"$SSH_AUTH_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin" >/dev/null 2>&1 &)
echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."
# GPG Socket
# Removing Linux GPG Agent socket and replacing it by link to wsl2-ssh-pageant GPG socket
export GPG_AGENT_SOCK="$HOME/.gnupg/S.gpg-agent"
if ! ss -a | grep -q "$GPG_AGENT_SOCK"; then
rm -rf "$GPG_AGENT_SOCK"
if test -x "$wsl2_ssh_pageant_bin"; then
(setsid nohup socat UNIX-LISTEN:"$GPG_AGENT_SOCK,fork" EXEC:"$wsl2_ssh_pageant_bin --gpgConfigBasepath ${config_path} --gpg S.gpg-agent" >/dev/null 2>&1 &)
echo >&2 "WARNING: $wsl2_ssh_pageant_bin is not executable."

Restart WSL by running

wsl.exe --shutdown

When you open Ubuntu Terminal now and run gpg — card-status you should be able to see something like this:

Import GPG key to WSL2

If you check GPG keys availible in WSL2 via gpg — list-keys or gpg — list-secret-keys you get empty results. We have to first import them. It’s quite easy, just run:

# WSL2
$ gpg --card-edit

This will open gpg command interface. Just type fetch. It’ll get you public keys from (we uploaded them there in the previous part)

In case you haven’t uploaded the public keys to (as shown in the part 1 of this tutorial). You can import it via asc file (exported in part 1) via:

gpg --import PATH_TO_ASC_FILE

Exit the gpg command interface via quit

If you now run gpg — list-keys you finally get your keys.

Great success!

Now we are missing one small step. As you can see. The trustworthiness of our certificate is unknown (information next to the name). We can change it via running:

# WSL2
$ gpg --edit-key YOUR_KEY_ID # In my case 1E9...

This opens gpg console insterface. Write:

# WSL2
trust # Change trust level
5 # Set trust level to ultimate
save # Save the changes

If you list keys via gpg — list-keys now. You should be able to see [ultimate] next to your name.

Additional Tips

Yubikey stopped working on WSL

1. Unplug Yubikey
2. Shutdown wsl `wsl — shutdown`
3. Shutdown Kleopatra in Task manager
4. Shutdown wsl2-ssh-pageant in Task manager
5. Start Kleopatra
6. Start wsl — open a new window
7. Plug in the Yubikey

Getting “error: Couldn’t load public key XXX No such file or directory?”

Unset gpg.format via

git config — global — unset gpg.format

We’ll continue in the part 3.