In the previous article, we’ve shown how you can use a Yubikey’s openpgp smartcard for ssh public key authentication. Now, there are cases where you do not want to generate a new keypair and instead would like to use your existing ssh keypair.
It should be noted that the most secure way is still to generate a new key directly on the smartcard. That’s the only solution that can actually guarantee your key is not already compromised or cannot be compromised if your PC is already infected. That being said, sometimes it’s just not feasible to replace your keys and moving them to a yubikey will offer you a much better security than continuing to use them in the ssh-agent.
Part 1. Requirements
- A yubikey with OpenPGP support
- A ssh keypair
- A Linux enviroment. Assuming you’re on Windows, you can use the WSL with Debian.
Part 2. Generating a master keypair for the Yubikey
Follow this guide to setup your yubikey and generate the first keypair.
Part 3. Converting your PEM key to OpenPGP format.
This needs to be done in a Linux enviroment using pem2openpgp which is provided by The Monkeysphere Project.
I would recommend to use the Debian subsystem which is provided by Windows WSL. A guide can be found here. Debian already has monkeysphere in his default packages, so proceed with the installation. Open a powershell and run:
apt update
apt -y install monkeysphereGo to the folder where your pem is located. To access c:\, the linux path is /mnt/c
cd /mnt/c/mykeysConvert your pem to openpgp and import it to gpg:
pem2openpgp temporary_key < MY_KEY.pem | gpg --importGet the keygrip of your new key:
gpg -k --with-keygrip temporary_key Next, generate a new temporary masterkey and use a temporary email address ex: me@localhost:
gpg --generate-keyEdit the new key:
gpg --expert --edit-key me@localhostAdd your ssh key as a subkey. You’ll need the keygrip we’ve saved earlier here.
addkeyChoose 13 to use existing key
Enter the keygrip and you’ll be asked to choose current allowed actions. Your key needs to have only Authenticate action enabled so we disable signing and encrypt by entering s, e and enable authenticate by entering a.
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Your selection? e
Your selection? a
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) FinishedAt the end, it should look like this:
Current allowed actions: AuthenticatePress q to finish, choose the expiration date (leave it 0 preferably) and save/create the key:
Your selection? q
Please specify how long the key should be valid.
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) yAnd now import the key to your yubikey:
keytocardSelect 3 for the Authenticate key and you are done.
You should now be able to use your existing key in the Yubikey to login to your ssh servers.
Next, you can exit the gpg edit utility by running: quit
And delete your temporary keys:
gpg --delete-keys temporary_key
gpg --delete-secret-keys temporary_key
gpg --delete-keys me@localhost
gpg --delete-secret-keys me@localhost