diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index ee37c18d980dac..e85119b0e459dd 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -361,12 +361,15 @@ let
           # We use try_first_pass the second time to avoid prompting password twice
           (optionalString (cfg.unixAuth &&
           (config.security.pam.enableEcryptfs
+            || config.security.pam.enableGnupg
             || cfg.pamMount
             || cfg.enableKwallet
             || cfg.enableGnomeKeyring
             || cfg.googleAuthenticator.enable
             || cfg.duoSecurity.enable)) ''
               auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
+              ${optionalString config.security.pam.enableGnupg
+                "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"}
               ${optionalString config.security.pam.enableEcryptfs
                 "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
               ${optionalString cfg.pamMount
@@ -438,6 +441,8 @@ let
               "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
           ${optionalString cfg.startSession
               "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
+          ${optionalString config.security.pam.enableGnupg
+              "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"}
           ${optionalString cfg.forwardXAuth
               "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
           ${optionalString (cfg.limits != [])
@@ -726,6 +731,13 @@ in
       '';
     };
 
+    security.pam.enableGnupg = mkOption {
+      default = false;
+      description = ''
+        Enable pam_gnupg module to unlock GPG agent on login.
+      '';
+    };
+
     users.motd = mkOption {
       default = null;
       example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
diff --git a/pkgs/os-specific/linux/pam_gnupg/default.nix b/pkgs/os-specific/linux/pam_gnupg/default.nix
new file mode 100644
index 00000000000000..1b42a6250d0de6
--- /dev/null
+++ b/pkgs/os-specific/linux/pam_gnupg/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchgit, autoreconfHook, gnupg, pam } :
+
+stdenv.mkDerivation rec {
+  pname = "pam_gnupg";
+  version = "unstable-2019-12-06";
+
+  src = fetchgit {
+    url = https://github.com/cruegge/pam-gnupg;
+    rev = "fbd75b720877e4cf94e852ce7e2b811feb330bb5";
+    sha256 = "0kqn6xb85jfmhvvbd2lasnci46p2pcwy0wq233za9h7xwfr49f7d";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+  buildInputs = [ gnupg pam ];
+
+  configureFlags = [ "--with-moduledir=$\{out\}/lib/security" ];
+
+  meta = with stdenv.lib; {
+    description = "A PAM plugin to preset GPG passphrases on login";
+    homepage = "https://github.com/cruegge/pam-gnupg/";
+    license = licenses.gpl3;
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index d64fd48197b69e..444633c2563c2e 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -16837,6 +16837,8 @@ in
 
   pam_ccreds = callPackage ../os-specific/linux/pam_ccreds { };
 
+  pam_gnupg = callPackage ../os-specific/linux/pam_gnupg { };
+
   pam_krb5 = callPackage ../os-specific/linux/pam_krb5 { };
 
   pam_ldap = callPackage ../os-specific/linux/pam_ldap { };