I recently got a Yubikey to lock some of my most critical accounts. In the process, I discovered that the yubikey also supports OpenPGP with the capabilities of Sign, Encrypt and Authenticate!.
This is a game-changer in terms of security since I no longer need to have my private RSA keys in my computer (hot environment because it touches the internet).
The process of how to generate the OpenPGP keys and burn them in the yubikey is well explained here:
https://youtube.com/playlist?list=PLmoQ11MXEmahVl_uJVH0-a3XJtMV59PBu
The EC2 way
When we launch a new EC2 instance we have to choose a pem file (private key) to SSH.
ssh -i keypair.pem ubuntu@ec2-*********.com
What I used to do is to load the pem key into my ssh-agent to ssh to the instance without providing the key as a parameter.
ssh-add keypair.pem
ssh ubuntu@ec2-*********.com
EC2 + Yubikey
Assuming that your private key is already in the yubikey all you have to do is to plug the device into your computer and update the ssh-agent socket to communicate with pgp agent socket.
After doing that your ssh-agent will use OpenPGP.
SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
Now Copy your public pgp key to the EC2 instance.
ssh-add
ssh-copy-id ubuntu@ec2-*********.com
Now everything is in place to SSH into your ec2 instance with your yubikey.
ssh ubuntu@ec2-*********.com
**waits for confirmation in the yubikey**
ubuntu@ec2-local:/home/ubuntu
Summary
And you are connected!.
Using this method removes the need to use the pem file provided by AWS. You can also use the same method for other servers Just copy your public key and you yubikey is your Authenticator.
Top comments (0)