Using your Yubikey to store your SSH Key (RSA 4096)

Using your Yubikey to store your SSH Key (RSA 4096)

Prerequisites

For this procedure to work you must have GnuPG version 2.0.22 or later installed on your computer. The version of the YubiKey’s OpenPGP module must be 1.0.5 or later. To check this version you may run, after inserting your YubiKey:

$ gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000]  01 00 05 90 00                               
OK

Where "01 00 05" means version 1.0.5.

If you have an existing key you want to import, that key must be a RSA 2048 bit key.

You’ll also need the YubiKey’s Admin PIN. (Default 12345678)

Generate a key

Skip this step if you already have a key.

$ gpg --gen-key

gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

As there are key size and type limits depending on the type of your YubiKey, see the comparison page, we will select option 1, and go with the default of 4096 bits for the next question.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? 4096

Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Select an expiry date if you want to. And answer that the data is correct.

Should be the real name associated with this key.

Should be the email adress associated with this key.

May be a comment attached to the key if you want, or leave this empty.

Real name:
Email address:
Comment:

If you’re happy with this USER-ID answer O for okay.

You selected this USER-ID:
    "Paul Micheli <paul@*********.com>m>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Take note of the id of the key, in this case 1******5.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 13AFCE85 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   8  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: depth: 1  valid:   8  signed:   2  trust: 3-, 0q, 0n, 5m, 0f, 0u
gpg: next trustdb check due at 2014-03-23
pub   4***R/1******5 2020-08-11 [expires: 2024-08-11]
      Key fingerprint = 7*************************************5
uid                Paul Michei <paul@*********.com>m>

Importing the key

Now it’s time to import the key into the YubiKey as your Auth SSH Key.

$ gpg --edit-key 1******5

gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4***R/1******5  created: 2020-08-11 [expires: 2024-08-11]  usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1). Paul Micheli <paul@*********.com>m>

gpg> toggle

sec  4***R/1******5  created: 2020-08-11 [expires: 2024-08-11]
(1)  Foo Bar <foo@example.com>

gpg> keytocard
Really move the primary key? (y/N) y
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 3

Here we’ve just moved the primary key to the PGP Auth slot of the YubiKey.

gpg> key 3

sec  4096R/13AFCE85  2020-08-11 [expires: 2024-08-11]
                     card-no: 0000 00000001
(1)  Paul Micheli <paul@*********.com>m.com>

gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: 743A 2D58 688A 9E9E B4FC  493F 70D1 D7A8 13AF CE85 

And as a last step we’ve now moved the Authentication key to the YubiKey.

gpg> quit
Save changes? (y/N) y

After this the keyring is saved. And that point it no longer contains the real secret key, only a pointer indicating that it’s stored on a smart card.

You can delete this key from your local gpg DB so it is only stored on your YubiKey.

Viewing the public key

To reveal the public key needed to add to your servers authorized_keys file so you can use the SSH key on your YubiKey to SSH to remote servers.

Run the below command to reveal the public key part of your SSH key pair;

paulmicheli@minime:~$  ssh-add -L
ssh-rsa A********************Fey
**[NOPE NOT HAVING THE MIDDLE]**
****===ZDdO cardno:0***********8

You can copy this to your authorized_keys file to your server and then test using ssh, if you use puppet to manage your SSH key deployment you can copy it there also.

Comments

[Sebastian Steenssøe]

Hi Paul.

Thank you for a great series on Yubikeys! 🚀 I've just received my Yubikey and would like to copy an existing SSH key to it. How would I go about doing that?