security = {
    pam = {
      services =
        let defaults = {
              gnupg = {
                enable = true;
                noAutostart = true;
                storeOnly = true;
              };
            };
        in {
          login = defaults;
          i3lock = defaults;
          i3lock-color = defaults;
        };
    };
  };

Why do you need to copy the defaults to each of login, i3lock, and i3lock-color? What's the effect of this?

It adds the corresponding lines to /etc/pam.d/{login,i3lock,i3lock-color}:

# Authentication management.
...
auth optional /nix/store/qs5in5w7b0naw831qbwh9gn6x33iqwpi-pam_gnupg-0.1/lib/security/pam_gnupg.so store-only
...
# Session management.
...
session optional /nix/store/qs5in5w7b0naw831qbwh9gn6x33iqwpi-pam_gnupg-0.1/lib/security/pam_gnupg.so no-autostart

(actually, it seems on my system i3lock-color is a symlink to i3lock); the pam module itself is quite confusing, which is what I meant by the interface is quite rough…

It absolutely needs to go into /etc/pam.d/login, because the whole point is your login password gets forwarded to gpg-agent. It's in /etc/pam.d/i3lock for a similar reason; the idea being that when i3lock starts it can flush your password from gpg-agent, and when you unlock it can forward your password again.

Hmm, I couldn't get this work for me :/. I used your configuration except the i3login stuff and manually edited my ~/.gpg-agent.conf:

pinentry-program /home/doron/.bin/pinentry

allow-loopback-pinentry

enable-ssh-support
# no-allow-external-cache
max-cache-ttl = 168000
allow-preset-passphrase

default-cache-ttl 7200

I "enable" gpg-agent via:

    programs.gnupg = {
      agent = {
        enable = true;
        enableBrowserSocket = true;
        enableExtraSocket = true;
        pinentryFlavor = null;
        enableSSHSupport = false;
      };
      dirmngr.enable = true;
    };

I'm using Gnome & GDM.

Can you confirm that you have something like:

❯ cat /etc/pam.d/login | grep gnupg                                                                                    
auth optional /nix/store/qs5in5w7b0naw831qbwh9gn6x33iqwpi-pam_gnupg-0.1/lib/security/pam_gnupg.so store-only
session optional /nix/store/qs5in5w7b0naw831qbwh9gn6x33iqwpi-pam_gnupg-0.1/lib/security/pam_gnupg.so no-autostart

Also, have you made sure that your login password and your GPG password are the same?

Can you confirm that you have something like:

Yes.

Also, have you made sure that your login password and your GPG password are the same?

That wasn't the case when I wrote my previous comment, but even now that it is, it's not working. What I expect to work is the gpg-agent to have a "password cached" (Using gpg --decrypt after login, I expect it to not ask me for a password (considering also the modifications to gpg-agent.conf). I also couldn't find any mentions of pam_gnupg.so in journalctl --boot | grep pam:

Oct 14 12:17:53 ZENIX systemd[1126]: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
Oct 14 12:18:15 ZENIX gdm-password][1731]: gkr-pam: unable to locate daemon control file
Oct 14 12:18:15 ZENIX gdm-password][1731]: gkr-pam: stashed password to try later in open session
Oct 14 12:18:15 ZENIX gdm-password][1731]: pam_unix(gdm-password:session): session opened for user doron by (uid=0)
Oct 14 12:18:15 ZENIX systemd[1737]: pam_unix(systemd-user:session): session opened for user doron by (uid=0)
Oct 14 12:18:15 ZENIX gdm-password][1731]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring

Gnome keyring is failing there is due to the fact my login gnome keyring store uses my old login password.

Did you also add your keygrip to ~/.pam_gnupg?

I thought it's ~/.pam-gnupg - as in your home.nix. Switching to it didn't help, I also added the defaults to systemd-user as well as it seems maybe gdm is using it? Don't know.

Here is the output of gpg -K --with-grip:

/home/doron/.gnupg/pubring.kbx
------------------------------
sec   dsa3072 2019-02-09 [SC]
      988D757E0D84771930E7047EBB1D362238FABF47
      Keygrip = 482908DDD3EAA1CDFD23DDE619D5DA390CF9DD3F
uid           [ unknown] Doron Behar (Password encryptions) <me@doronbehar.com>
ssb   elg3072 2019-02-09 [E]
      Keygrip = A85E4FC6C29CD42DB9DACBB14871FBABAAC9BC95

And:

$ cat ~/.pam_gnupg
A85E4FC6C29CD42DB9DACBB14871FBABAAC9BC95

I chose the subkey because when I gpg --decrypt:

┌────────────────────────────────────────────────────────────────┐
│ Please enter the passphrase to unlock the OpenPGP secret key:  │
│ "Doron Behar (Password encryptions) <me@doronbehar.com>"       │
│ 3072-bit ELG key, ID 16EB537E47DAEB9D,                         │
│ created 2019-02-09 (main key ID BB1D362238FABF47).             │
│                                                                │
│                                                                │
│ Passphrase: __________________________________________________ │
│                                                                │
│         <OK>                                    <Cancel>       │
└────────────────────────────────────────────────────────────────┘

Sorry, I meant ~/.pam-gnupg; I don't get anything in the journal about this pam module either, but it's definitely working for me.

Do you have $GNUPGHOME set, i.e. is your GPG stuff somewhere other than ~/.gnupg? If so, you'll need to set it in ~/.pam_environment like it says here

You mentioned ~/.gpg-agent.conf but for me (and by default) this file is located at ~/.gnupg/gpg-agent.conf

You mentioned ~/.gpg-agent.conf but for me (and by default) this file is located at ~/.gnupg/gpg-agent.conf

That's my mistake. I am using ~/.gnupg/gpg-agent.conf.

Do you have $GNUPGHOME set, i.e. is your GPG stuff somewhere other than ~/.gnupg? If so, you'll need to set it in ~/.pam_environment like it says here

No. Regular ~/.gnupg.

Sorry, I meant ~/.pam-gnupg; I don't get anything in the journal about this pam module either, but it's definitely working for me.

Using ~/.pam-gnupg now. Tried the subkey and the main key keygrips both. Tried using noAutoStart = false;, and storeOnly = false; and it didn't help. I suspect it's an issue with gdm..

That's as far as I can help. Sorry.

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/338

I'm just going to merge this seeing as it works for me. It faithfully implements the instructions here, and I'm not sure what more you could ask for in a NixOS module. We could always reopen this if it's not working for someone else. For what it's worth, I'm using lightDM in its default configuration.

BTW a few days ago I noticed my gpg agent doesn't cache passwords at all, something GNome related... So probably it was my fault back then it didn't work.

@NickHu thanks for this PR, for me works :)

@doronbehar to make it work with gdm, use pam.serivices.gdm, looks like login is not enough, you can take a look to my dotfiles:
https://github.com/jlesquembre/dotfiles/blob/faece9e9b65c947ca9c676f2d60b9906281661f2/modules/common-configuration.nix#L364-L379
Not sure if relevant, but notice that I manage the gpg-agent with NixOS, not home-manager (although I use home-manager for the .gnupg files: https://github.com/jlesquembre/dotfiles/blob/faece9e9b65c947ca9c676f2d60b9906281661f2/home-manager/common.nix#L201-L215 )