How to set up an encrypted .netrc file with GPG for GitHub 2FA access

Enabling 2 factor authentication on GitHub is a good way to protect your data, but unfortunately, it means you can’t use your password to login at the command line on Linux for pushes and pulls to HTTPS repositories. You can set up a special .netrc file to enable 2FA login from the command line.

First, go to GitHub and create a Personal Access Token. Then, create a ~/.netrc file with the following contents:

login yourusername
password <token>
protocol https

login yourusername
password <token>
protocol https

where <token> is the token set up on the GitHub website.

Then generate a GPG key if one doesn’t exist:

gpg --gen-key

Make sure to put a passphrase on that key. You may have to do some other tasks on the computer while it generates enough entropy. Then encrypt the ~/.netrc file:

gpg -e -r ~/.netrc

Now the ~/.netrc file can be deleted as long as the ~/.netrc.gpg file is kept. Add the netrc credential helper:

curl -o ~/.local/bin/git-credential-netrc

Finally, set up Git to use this file:

git config --global credential.helper "netrc -f ~/.netrc.gpg -v"

Install gpg-agent and pinentry

sudo apt-get install gnupg-agent pinentry-curses

Add to ~/.profile:

# Invoke GnuPG-Agent the first time we login.
# Does `~/.gpg-agent-info' exist and points to gpg-agent process accepting signals?
if test -f $HOME/.gpg-agent-info && \
    kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
    GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info | cut -c 16-`
    # No, gpg-agent not available; start gpg-agent
    eval `gpg-agent --daemon --no-grab --write-env-file $HOME/.gpg-agent-info`
export GPG_TTY=`tty`

Now https pushes and pulls should work with GitHub on Linux.