In the previous article, we’ve shown how you can use a Yubikey’s openpgp smartcard for ssh public key authentication. Now, there are cases where you do not want to generate a new keypair and instead would like to use your existing ssh keypair.
It should be noted that the most secure way is still to generate a new key directly on the smartcard. That’s the only solution that can actually guarantee your key is not already compromised or cannot be compromised if your PC is already infected. That being said, sometimes it’s just not feasible to replace your keys and moving them to a yubikey will offer you a much better security than continuing to use them in the ssh-agent.
Part 1. Requirements
- A yubikey with OpenPGP support
- A ssh keypair
- A Linux enviroment. Assuming you’re on Windows, you can use the WSL with Debian.
Part 2. Generating a master keypair for the Yubikey
Follow this guide to setup your yubikey and generate the first keypair.
Part 3. Converting your PEM key to OpenPGP format.
This needs to be done in a Linux enviroment using pem2openpgp which is provided by The Monkeysphere Project.
I would recommend to use the Debian subsystem which is provided by Windows WSL. A guide can be found here. Debian already has monkeysphere in his default packages, so proceed with the installation. Open a powershell and run:
apt update apt -y install monkeysphere
Go to the folder where your pem is located. To access c:\, the linux path is /mnt/c
Convert your pem to openpgp and import it to gpg:
pem2openpgp temporary_key < MY_KEY.pem | gpg --import
Get the keygrip of your new key:
gpg -k --with-keygrip temporary_key
Next, generate a new temporary masterkey and use a temporary email address ex: me@localhost:
Edit the new key:
gpg --expert --edit-key me@localhost
Add your ssh key as a subkey. You’ll need the keygrip we’ve saved earlier here.
Choose 13 to use existing key
Enter the keygrip and you’ll be asked to choose current allowed actions. Your key needs to have only Authenticate action enabled so we disable signing and encrypt by entering s, e and enable authenticate by entering a.
Current allowed actions: Sign Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Your selection? e Your selection? a Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Authenticate (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished
At the end, it should look like this:
Current allowed actions: Authenticate
Press q to finish, choose the expiration date (leave it 0 preferably) and save/create the key:
Your selection? q Please specify how long the key should be valid. Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y Really create? (y/N) y
And now import the key to your yubikey:
Select 3 for the Authenticate key and you are done.
You should now be able to use your existing key in the Yubikey to login to your ssh servers.
Next, you can exit the gpg edit utility by running: quit
And delete your temporary keys:
gpg --delete-keys temporary_key gpg --delete-secret-keys temporary_key gpg --delete-keys me@localhost gpg --delete-secret-keys me@localhost