Signing or decryption of data using gnupg usually requires that the private key material is available within the same context as the data to operate on. While this is unproblematic in most use cases, such a situation might be suboptimal when data from lower-trusted context, e.g. e-mail client, is processed. Since many targeted attacks address weaknesses or vulnerabilities in e-mail or web-client, successful compromise of client will also allow theft of private key material.

The RemoteGnupg tool allows to forward some gnupg requests from lower-trusted to higher-trusted context via network with additional filtering of the call parameters. Thus it is possible to apply gnupg operations to data in lower-trusted context without copying the private key to that context.

The main difference of this approach to gnupg agent forwarding is that the tool allows to control which requests are forwarded and accept only those, that seem appropriate.


The RemoteGnupg consists of two programs, GnupgCallForwarder replaces gnupg in the lower-trusted context to intercept the call to gnupg. Depending on the argument the call is processed locally, e.g. for signature verification, or forwarded to the remote instance.

Within the higher-trusted context, forwarded request is received by GnupgCallReceiver. It filters the request command, and if appropriate invokes gnupg within this context. The user mas review the request in the trusted context and decide, if it should be processed.

In the initialization phase, the forwarder encodes the call arguments as list of 0-terminated strings and forwards them to the receiver. After that phase, stdin on the forwarder side is sent via the same link until EOF of stdin is reached.

The receiver processes the encoded call arguments, filters them, may apply modifications to them and then invoke the local gnupg application. While the gnupg subprocess is alive, stdout and stderr are read and sent back to remote side by using the single stream in multiplex mode. When the streams are closed or the application terminates, remote side is notified so that the forwarder can pass on that information to the program that invoked it.

Using RemoteGnupg with Enigmail

To use RemoteGnupg with Enigmail, open the OpenPGP preferences basic settings tab and override gnupg binary with RemoteGnupg tool.

CAVEAT: I did not succeed in using the alternative gnupg path together with the additional parameters configuration item from advanced settings tab due to unknown reason. Hence additional parameters has to be kept empty, instead an intermediate script has to be used, e.g.

#!/bin/sh exec "$(dirname "$0")/GnupgCallForwarder" --GnupgForwardRemoteAddress [host]:[port} --LogFile [your-log-file] "$@"

On the remote side, open a listening port, e.g. by combining socat with GnupgCallReceiver. At this position, additional parameters can be added to the gnupg invocation. See preamble of GnupgCallReceiver for more information. Command line might look like socat TCP4-LISTEN:[listen-port],reuseaddr=1,fork=1 "EXEC:[your-path]/GnupgCallReceiver --PrependArg --homedir --PrependArg [your-homedir-if-needed]"



Last modified 20171228
Contact e-mail: me (%)