diff --git a/README.md b/README.md
index bc3555ffb..e36df7c0c 100644
--- a/README.md
+++ b/README.md
@@ -162,6 +162,8 @@ Check [traps](./windows/Multi-booting.md)
    ```bash
    touch ~/.ssh/id_ed25519 && chmod 400 ~/.ssh/id_ed25519
    hx ~/.ssh/id_ed25519
+   echo UPDATESTARTUPTTY | gpg-connect-agent # https://unix.stackexchange.com/a/371910
+   ssh-add ~/.ssh/id_ed25519
    ```
 
 1. [Restore encrypted rclone.conf from STDIN](config/rclone.md)
diff --git a/home-manager/gpg.nix b/home-manager/gpg.nix
index 18fd7e16a..943a9e65d 100644
--- a/home-manager/gpg.nix
+++ b/home-manager/gpg.nix
@@ -18,6 +18,10 @@
 #   - `gpg --armor --export PUBKEY | clip.exe`
 # - How to backup private key?
 #   - `gpg --export-secret-keys --armor > gpg-private.keys.bak`
+let
+  # All gpg-agent timeouts numbers should be specified with the `seconds`
+  day = 60 * 60 * 24;
+in
 {
   # https://github.com/nix-community/home-manager/blob/release-24.05/modules/services/gpg-agent.nix
   services.gpg-agent = {
@@ -25,11 +29,18 @@
 
     # Update [darwin.nix](darwin.nix) if changed this section
     #
+    # TODO: Reconsider the ttls with recent use
+    #
     # https://superuser.com/questions/624343/keep-gnupg-credentials-cached-for-entire-user-session
-    defaultCacheTtl = 60480000; # 700 days
-    maxCacheTtl = 60480000; # 700 days
+    defaultCacheTtl = day * 700;
+    # https://github.com/openbsd/src/blob/862f3f2587ccb85ac6d8602dd1601a861ae5a3e8/usr.bin/ssh/ssh-agent.1#L167-L173
+    # ssh-agent sets it as infinite by default. So I can relax here (maybe)
+    defaultCacheTtlSsh = day * 30;
+    maxCacheTtl = day * 700;
 
     pinentryPackage = pkgs.pinentry-tty;
+
+    enableSshSupport = true;
   };
 
   # https://github.com/nix-community/home-manager/blob/release-24.05/modules/programs/gpg.nix
diff --git a/home-manager/ssh.nix b/home-manager/ssh.nix
index 759a29a62..e15cef4ff 100644
--- a/home-manager/ssh.nix
+++ b/home-manager/ssh.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 
 let
   # SSH files cannot use XDG Base Directory.
@@ -16,7 +16,8 @@ in
 # - id_*.pub: I CAN register them for different services.
 {
   # https://github.com/nix-community/home-manager/blob/release-24.05/modules/services/ssh-agent.nix
-  services.ssh-agent.enable = pkgs.stdenv.isLinux;
+  # Prefer gpg-agent for SSH agent role
+  services.ssh-agent.enable = false;
 
   # https://github.com/nix-community/home-manager/blob/release-24.05/modules/programs/ssh.nix
   programs.ssh = {
diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index 7b40ac9dd..e89bd1d90 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -165,6 +165,7 @@
   programs.goldwarden = {
     package = edge-pkgs.goldwarden;
     enable = true;
+    useSshAgent = false;
   };
 
   # https://nixos.wiki/wiki/Podman
diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix
index 5f7045b48..8fa8ba785 100644
--- a/nixos/desktop/default.nix
+++ b/nixos/desktop/default.nix
@@ -85,6 +85,15 @@
       gnome-music # does not support flac by defaults
     ]);
 
+  # Recommended to be uninstalled by gnupg.
+  # https://wiki.gnupg.org/GnomeKeyring
+  #
+  # And enabling this makes $SSH_AUTH_SOCK overriding even through enabled gpg-agent in home-manager
+  # https://github.com/NixOS/nixpkgs/issues/101616
+  #
+  # Using mkforce for https://discourse.nixos.org/t/gpg-smartcard-for-ssh/33689/3
+  services.gnome.gnome-keyring.enable = lib.mkForce false;
+
   # Enable touchpad support (enabled default in most desktopManager).
   services.libinput = {
     enable = true;