Blog

Appearance

OpenGPG ​

OpenPGP is an encryption standard for secure communication and data protection through public and private key cryptography.

Installation ​

Install through https://gpgtools.org/ or with CLI:

bash
brew install gnupg

Generate (pub/priv) keys with YubiKey ​

A YubiKey is a compact, hardware-based authentication device that enhances security with strong two-factor, multi-factor, and passwordless login capabilities.

Pre-requisite ​

Install the PC/SC software in order to be able to communicate with YubiKey

bash
apt install pcsc-tools

Configuration ​

Interact with the card

bash
gpg --edit-card

Generate keys

bash
# Set to admin mode
gpg/carte> admin

# Generate keys: During the process, It will ask for your PIN during generation
## default PIN password      : 123456
## default PIN admin password: 12345678
gpg/carte> generate

This will create a new set of keys:

  • 1 for encryption.
  • 1 for signature.
  • 1 for authentication.

TIP

To delete all generated keys

bash
gpg/carte> admin
gpg/carte> factory-reset

List all available data on YubiKey

bash
gpg/carte> admin
gpg/carte> list

SSH authentication with YubiKey ​

Set environment variables to use GPG agent as SSH agent.

bash
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
export GPG_TTY=$(tty)

INFO

  • SSH_AUTH_SOCK is an environment variable that tells SSH clients where to find the socket file for the SSH authentication agent.
  • gpgconf --list-dirs agent-ssh-socket is a command that outputs the path to the GPG agent's SSH socket.
  • GPG_TTY=$(tty): Ensures that GPG can properly interact with the terminal to prompt for passphrases or PINs.

TIP

You can add those line in .bashrc or .zshrc

Export the SSH public key associated with the specified GPG key

bash
# gpg --export-ssh-key GPG_KEY_NAME
gpg --export-ssh-key "yubikey"

TIP

  • If you don't know the GPG_KEY_NAME, you can fetch it from
bash
gpg --list-keys
# pub   rsa2048 2020-12-04 [SC]
#       XXXXXXXXXXXXXXXXXXXXXXXXXXX
# uid           [ultimate] yubikey (beautiful comment) <mail@mydomain.com>
# sub   rsa2048 2020-12-04 [A]
# sub   rsa2048 2020-12-04 [E]

#

In this case, yubikey is the GPG_KEY_NAME.

  • Verify public keys currently loaded into the SSH agent
bash
ssh-add -L

Testing your keys ​

Now, add the public SSH key to the remote server in .ssh/authorized_keys file and try to authenticate using it.
A popup will ask for your PIN. (Default PIN: 123456)

TIP

To change the default PIN

bash
# gpg --change-pin GPG_KEY_NAME
gpg --change-pin "yubikey"

Released under the MIT License.

Copyright © 2024 Kien Nguyen