WSL Setup for Yubikey

Configuring WSL2 for Yubikey Pass-Through

Setup The Host

Install the pre-requisites:

Configure SSH Key and Git Integration With Windows 10 Native Way (Thanks to this DevGenius blog).

In an administrative Powershell prompt:

Add-Content $env:APPDATA\gnupg\gpg-agent.conf "enable-putty-support"
Add-Content $env:APPDATA\gnupg\gpg-agent.conf "enable-ssh-support"

Add-Content $env:APPDATA\gnupg\scdaemon.conf "debug-level guru"
Add-Content $env:APPDATA\gnupg\scdaemon.conf "log-file scdaemon.log"
Add-Content $env:APPDATA\gnupg\scdaemon.conf "reader-port Yubico Yubi"

Add-Content $env:APPDATA\gnupg\gnupg.conf "charset utf-8"

$OpenSSHClient = Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Client*'
Add-WindowsCapability -Online -Name $OpenSSHClient.Name

$SSHAgentSvc = Get-Service -Name 'ssh-agent'
Set-Service -Name $SSHAgentSvc.Name -StartupType Automatic
Start-Service -Name $SSHAgentSvc.Name

In your normal user Powershell prompt:

ssh-keygen # only if you don't already have an SSH key
ssh-add

Inside a WSL2 Session

Thanks to Jaroslav Živný's blog articles

sudo apt install socat
mkdir ~/.ssh
wget https://github.com/BlackReloaded/wsl2-ssh-pageant/releases/download/v1.2.0/wsl2-ssh-pageant.exe -O ~/.ssh/wsl2-ssh-pageant.exe
chmod +x ~/.ssh/wsl2-ssh-pageant.exe

Copy this into a script that will be run at session startup, ~/.gpg4wsl

# SSH Socket
# Removing Linux SSH socket and replacing it by link to wsl2-ssh-pageant socket
export SSH_AUTH_SOCK=$HOME/.ssh/agent.sock 
ss -a | grep -q $SSH_AUTH_SOCK 
if [ $? -ne 0 ]; then
  rm -f $SSH_AUTH_SOCK
  setsid nohup socat UNIX-LISTEN:$SSH_AUTH_SOCK,fork EXEC:$HOME/.ssh/wsl2-ssh-pageant.exe &>/dev/null &
fi
# GPG Socket
# Removing Linux GPG Agent socket and replacing it by link to wsl2-ssh-pageant GPG socket
export GPG_AGENT_SOCK=$HOME/.gnupg/S.gpg-agent 
ss -a | grep -q $GPG_AGENT_SOCK 
if [ $? -ne 0 ]; then
  rm -rf $GPG_AGENT_SOCK
  setsid nohup socat UNIX-LISTEN:$GPG_AGENT_SOCK,fork EXEC:"$HOME/.ssh/wsl2-ssh-pageant.exe --gpg S.gpg-agent" &>/dev/null &
fi

Add this to the end of the ~/.bash_rc or ~/.zshrc script, or wherever you want to auto-run the script from:

source ~/.gpg4wsl

Back on the host PC, restart WSL:

wsl.exe --shutdown

The next time you start a WSL session, you should be able to get some info out of gpg --card-status