Using your OpenPGP key on Yubikey for ssh
Last week I wrote
about how you can generate ssh keys on your Yubikeys and use them. There is
another way of keeping your ssh keys secure, that is using your already
existing OpenPGP key (along with authentication subkey) on a Yubikey and use it
In this post I am not going to explain the steps on how to move your key to a
Yubikey, but only the steps required to start using it for
ssh access. Feel
free to have a look at Tumpa if you want an easy way to
upload keys to your card.
Enabling gpg-agent for ssh
First we have to add
gpg-agent.conf file with correct configuration. Remember
to use a different
pinentry program if you are on Mac or KDE.
❯ echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf ❯ echo "pinentry-program $(which pinentry-gnome)" >> ~/.gnupg/gpg-agent.conf ❯ echo "export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)" >> ~/.bash_profile ❯ source ~/.bash_profile ❯ gpg --export-ssh-key <KEYID> > ~/.ssh/id_rsa_yubikey.pub
At this moment your public key (for ssh usage) is at
~/.ssh/id_rsa_yubikey.pub file. You can use it in the
~/.ssh/authorized_keys file on the servers as required.
We can then restart the
gpg-agent using the following command and then also
verify that the card is attached and
gpg-agent can find it.
❯ gpgconf --kill gpg-agent ❯ gpg --card-status
Enabling touch policy on the card
We should also enable touch policy on the card for authentication operation. This means every time you will try to
ssh using the Yubikey, you will
have to touch the interface (it will be flashing the light till you touch it).
❯ ykman openpgp keys set-touch aut On Enter Admin PIN: Set touch policy of authentication key to on? [y/N]: y
If you still have servers where you have only the old key,
ssh client will be smart enough to ask you the passphrase for those keys.