diff --git a/modules/tools/git/default.nix b/modules/tools/git/default.nix
index 5e889cc..76076b3 100644
--- a/modules/tools/git/default.nix
+++ b/modules/tools/git/default.nix
@@ -7,6 +7,7 @@
 }:
 with lib; let
   cfg = config.aa.tools.git;
+  gpg = config.aa.tools.gpg;
   user = config.aa.user;
 in {
   options.aa.tools.git = with types; {
@@ -52,7 +53,7 @@ in {
 
         signing = {
           key = cfg.signingKey;
-          signByDefault = false; # TODO: Only set if gpg is enabled
+          signByDefault = mkIf gpg.enable true;
         };
 
         ignores = [
diff --git a/modules/tools/gpg/default.nix b/modules/tools/gpg/default.nix
new file mode 100644
index 0000000..3320b6e
--- /dev/null
+++ b/modules/tools/gpg/default.nix
@@ -0,0 +1,40 @@
+{
+  options,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.aa.tools.git;
+  user = config.aa.user;
+in {
+  options.aa.tools.gpg = with types; {
+    enable = mkEnableOption "gpg";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [gnupg pinentry-curses];
+
+    aa.home.extraOptions = {
+      programs.gpg = {
+        enable = true;
+        scdaemonSettings = {
+          # Fix conflicts with config in common/yubikey.nix
+          disable-ccid = true;
+        };
+      };
+
+      services.gpg-agent = {
+        enable = true;
+        pinentryFlavor = "curses";
+        enableZshIntegration = true;  # TODO: Only set if using zsh
+        enableSshSupport = true;
+        sshKeys = [
+          # run `gpg-connect-agent 'keyinfo --list' /bye` to get these values for existing keys
+          "E274D5078327CB6C8C83CFF102CC12A2D493C77F"
+        ];
+      };
+    };
+  };
+}