December 01, 2017

Using GPG inside a Docker container

One day you may need to run a GPG 2.x inside a Docker container.

In Ubuntu Artful the gpg-agent creates its agent-socket under /run/user, instead of $GNUPGHOME/ which by default is ~/.gnupg.

You can check what path does your gpg agent-socket use by running:

$ gpgconf --list-dirs | grep agent-socket

Check whether your current GPG supports a socketdir by running:

  • ubuntu-artful with gpg 2.1.15
$ gpgconf --dry-run --create-socketdir
gpgconf: socketdir is '/run/user/1000/gnupg'
  • ubuntu-xenial with gpg 2.1.11
$ gpgconf --dry-run --create-socketdir
gpgconf: invalid option "--create-socketdir"

There are two ways of using GPG 2.x in a Docker container.

Before you continue, make sure you have the image with the GPG 2.x installed.

  • Create the new image with GPG 2.x:
docker run --rm -ti ubuntu:artful bash
apt-get update && apt-get -y install gnupg2
docker commit $(docker ps -lq) ubuntu:artful-gpg2
  • A) Using a running gpg-agent on your host:
docker run --rm -ti -u $(id -u):$(id -g) -v ${HOME}/.gnupg/:/.gnupg/:ro \
           -v /run/user/$(id -u)/:/run/user/$(id -u)/:ro \
	   ubuntu:artful-gpg2 bash
  • B) Running a new gpg-agent instance inside a container:
docker run --rm -ti -u $(id -u):$(id -g) -v ${HOME}/.gnupg/:/.gnupg/:ro \
           --tmpfs /run/user/$(id -u)/:mode=0700,uid=$(id -u),gid=$(id -g) \
           ubuntu:artful-gpg2 bash
$ gpg-agent --daemon

Now that you picked either path A or B, you should be ready to use the GPG.

gpg2 -K
echo test | gpg2 -e -a -r recipient | gpg2 -d
echo test | gpg2 --clearsign

Please feel free to comment in case of questions or suggestions.