~/src/www.mokhan.ca/xlgmokha [main]
cat ssh-gpg-yubikey.md
ssh-gpg-yubikey.md 8018 bytes | 2022-05-29 12:19
symlink: /dev/random/ssh-gpg-yubikey.md

ssh+gpg+yubikey

Creating new keys

$ export GNUPGHOME=~/gnupg-workspace
$ wget -O $GNUPGHOME/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf
$ grep -ve "^#" $GNUPGHOME/gpg.conf
$ gpg --gen-random --armor 0 24 > $GNUPGHOME/passphrase
$ gpg --expert --full-generate-key # ECC, 25519, Certify, 0 (does not expire)
$ export KEYID=0xAAAAAAAAAAAAAAAA
$ gpg --expert --edit-key $KEYID
gpg> addkey # sign key
gpg> addkey # encr key
gpg> addkey # authn key
gpg> save
$ gpg -K
$ gpg --export $KEYID | hokey lint
$ gpg --armor --export-secret-keys $KEYID > $GNUPGHOME/mastersub.key
$ gpg --armor --export-secret-subkeys $KEYID > $GNUPGHOME/sub.key
$ gpg --output $GNUPGHOME/revoke.asc --gen-revoke $KEYID
$ tar -czvf yyyy-mm-dd-gnupg.tar.gz $GNUPGHOME/
$ echo "save yyyy-mm-dd-gnupg.tar.gz somewhere safe"
$ gpg --armor --export $KEYID | tee /keybase/public/xlgmokha/gpg-$KEYID-$(date +%F).asc
$ gpg --card-edit
gpg/card> admin
gpg/card> kdf-setup
gpg/card> passwd  # 3 change admin pin default: 12345678
gpg/card> passwd  # 2 change pin default: 123456
gpg/card> name    # mo khan
gpg/card> lang    # en
gpg/card> login   # mo@mokhan.ca
gpg/card> url     # https://www.mokhan.ca/.gnupg/xlgmokha.asc
gpg/card> quit
$ ykman openpgp access set-retries 5 5 5
$ gpg --edit-key $KEYID
gpg> key 1
gpg> keytocard
gpg> key 1        # deselect key 1
gpg> key 2
gpg> keytocard
gpg> key 2        # deselect key 2
gpg> key 3
gpg> keytocard
gpg> save
$ gpg -K
$ gpg --card-status

non-interactive options:

$ gpg --quick-add-key $KEYID ed25519 sign 1y
$ gpg --quick-add-key $KEYID cv25519 encr 1y
$ gpg --quick-add-key $KEYID ed25519 auth 1y

Cleanup:

$ sudo rm -rf $GNUPGHOME
$ gpg --delete-secret-key $KEYID
$ unset GNUPGHOME

Import your public key into your key ring:

$ gpg --import /keybase/public/xlgmokha/gpg-$KEYID-$(date +%F).asc

gpg-agent as the ssh-agent

# ~/.gnupg/gpg-agent.conf
enable-ssh-support
ttyname $GPG_TTY
default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/local/bin/xlg-pinentry

Start gpg-agent and configure ssh socket file.

$ export GPG_TTY="$(tty)"
$ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
$ gpgconf --launch gpg-agent

SSH

Export the authn key as the ssh key.

$ gpg --export-ssh-key $KEYID > ~/.ssh/id_xxx.pub

Add the key to ~/.gnupg/sshcontrol to allow the gpg-agent to serve it as an ssh-agent.

$ gpg -K --with-keygrip | grep $KEYID | awk '{ print $3 }' > ~/.gnupg/sshcontrol

Check ssh keys:

$ ssh-add -l # short list
$ ssh-add -L # long list
$ ssh git@github.com -i ~/.ssh/id_xxx.pub

Resources

Lines: 111 | Words: 568 | Reading time: 3 min