How to add your existing SSH Key to Yubikey via OpenPGP


In the previous article, we’ve shown how you can use a Yubikey’s openpgp smartcard for ssh public key authentication. Now, there are cases where you do not want to generate a new keypair and instead would like to use your existing ssh keypair.

It should be noted that the most secure way is still to generate a new key directly on the smartcard. That’s the only solution that can actually guarantee your key is not already compromised or cannot be compromised if your PC is already infected. That being said, sometimes it’s just not feasible to replace your keys and moving them to a yubikey will offer you a much better security than continuing to use them in the ssh-agent.

Part 1. Requirements

  1. A yubikey with OpenPGP support
  2. A ssh keypair
  3. A Linux enviroment. Assuming you’re on Windows, you can use the WSL with Debian.

Part 2. Generating a master keypair for the Yubikey

Follow this guide to setup your yubikey and generate the first keypair.

Part 3. Converting your PEM key to OpenPGP format.

This needs to be done in a Linux enviroment using pem2openpgp which is provided by The Monkeysphere Project.

I would recommend to use the Debian subsystem which is provided by Windows WSL. A guide can be found here. Debian already has monkeysphere in his default packages, so proceed with the installation. Open a powershell and run:

apt update
apt -y install monkeysphere

Go to the folder where your pem is located. To access c:\, the linux path is /mnt/c

cd /mnt/c/mykeys

Convert your pem to openpgp and import it to gpg:

pem2openpgp temporary_key < MY_KEY.pem  | gpg --import

Get the keygrip of your new key:

gpg -k --with-keygrip temporary_key 

Next, generate a new temporary masterkey and use a temporary email address ex: [email protected]:

gpg --generate-key

Edit the new key:

gpg --expert --edit-key [email protected]

Add your ssh key as a subkey. You’ll need the keygrip we’ve saved earlier here.


Choose 13 to use existing key

Enter the keygrip and you’ll be asked to choose current allowed actions. Your key needs to have only Authenticate action enabled so we disable signing and encrypt by entering s, e and enable authenticate by entering a.

Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s
Your selection? e
Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

At the end, it should look like this:

Current allowed actions: Authenticate

Press q to finish, choose the expiration date (leave it 0 preferably) and save/create the key:

Your selection? q
Please specify how long the key should be valid.
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y

And now import the key to your yubikey:


Select 3 for the Authenticate key and you are done.

You should now be able to use your existing key in the Yubikey to login to your ssh servers.

Next, you can exit the gpg edit utility by running: quit

And delete your temporary keys:

gpg --delete-keys temporary_key
gpg --delete-secret-keys temporary_key
gpg --delete-keys [email protected]
gpg --delete-secret-keys [email protected]

Recent Posts