Generate Trusted Private And Public Key For Yubikey
Generate Trusted Private And Public Key For Yubikey 5,0/5 4229 reviews

Generate public key from private key putty beach

Updated by Alex FornutoContributed byHuw Evans

Try this guide out by signing up for a Linode account with a $20 credit.

There are two ways of getting private keys into a YubiKey: You can either generate the keys directly on the YubiKey, or generate them outside of the device, and then importing them into the YubiKey. Reasons for importing keys include wanting to make a backup of a private key (generated keys are non-exportable, for security reasons), or if the private key is provided by an external source. To move your secret key from your GPG keyring to your YubiKey, go to this page and start where it says “To import the key on your YubiKey” If you need to generate a GPG key for SSH authentication, take a look at this guide and follow one of the two methods provided. Jun 02, 2019  The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the.

Contribute on GitHub

Report an Issue View File Edit File

You may be familiar with public key authentication for Secure Shell (SSH) on your Linode. But you may not have known that you can also use a GNU Privacy Guard (GPG) keypair to authenticate with SSH.

The chief benefit of this method is that instead of having separate keys for GPG messaging and SSH authentication, they can both belong to the same GPG keyring. This configuration really shines, however, when used with a GPG smartcard or YubiKey, because the card/dongle can store the underlying private key and only authenticate SSH sessions when it’s plugged in. WIRED reported that engineers at Facebook use this method for authenticating with local servers, so why shouldn’t you?

This guide will show you how to generate a GPG key, set up your computer to serve it in place of an SSH key, and put the new public key onto your server for authentication. It will also detail how to optionally move your GPG private key onto a smartcard or YubiKey to prevent authentication when the device isn’t plugged into your computer.

Before You Begin

Note
This guide will only work on UNIX-based (Linux & OS X) machines! The process is very complicated on Windows but may be possible with some research.

This guide assumes:

  • You have a fully functional Linode
  • You have followed the Getting Started and Securing Your Server guides, and updated your Linode with sudo apt-get update && sudo apt-get upgrade)
  • You are familiar with the command line

You don’t necessarily need to be familiar with SSH public key authentication or GPG encryption, but an understanding of their operation will help you out if you run into problems.

Generate a GPG Keypair

This section explains how to generate a new GPG keypair. If you already have one, you may skip these steps, as the next section will include instructions for how to create a subkey to use specifically for authentication. You will just need the 8-digit ID for your existing key to do so.

Caution
As an additional security measure, this process may be undertaken on an offline (non network-connected) machine or single-use Virtual Machine (VM). After installing the pre-requisite packages and only the pre-requisite packages, disconnect it from the network and continue with the steps below.

All of these steps should be performed on a local machine, not your Linode.

  1. Install GPG:

    On Debian and its derivatives:

    On OS X:

    GPGTools provides the simplest implementation of GPG for OS X. Otherwise, you could run brew install gnupg2 if you have Homebrew.

    On other operating systems, this process should be fairly clear. GPG is likely already installed, but if it isn’t, a quick internet search should give you the instructions you need.

  2. Open a command prompt and execute:

  3. When prompted to select the kind of key you want, select (1) RSA and RSA.

  4. When asked for a keysize, type 4096. If you want to store your key on a YubiKey Neo or certain smartcards, you may be restricted to a 2048-bit key size, so ensure that you aware of limitations for your device, if applicable.

  5. Choose an expiration period that you think will be suitable for this key. After that date, the key will no longer work, so choose carefully.

  6. Enter your full name, email address, and a comment (if you want). Select O for ‘Okay’.

  7. After looking over your shoulders for secret agents, enter a long and secure passphrase that will be used to encrypt your key in local storage. Write this down somewhere you know to be physically secure while your computer generates the keypair.

Once this is done, your output should resemble the following:

This process has created a master GPG key and a subkey for encrypting messages and files. To authenticate with SSH, we need to generate a second subkey for authentication.

Generating the Authentication Subkey

  1. In a command prompt or terminal, type:

    Replace key-id with the eight-character string output from the key generation process. This will be found in the line beginning with pub. In the example above, the ID is 71735D23.

  2. At the new gpg> prompt, enter:

  3. When prompted, enter your passphrase.

  4. When asked for the type of key you want, select: (8) RSA (set your own capabilities).

  5. Enter S to toggle the ‘Sign’ action off.

  6. Enter E to toggle the ‘Encrypt’ action off.

  7. Enter A to toggle the ‘Authenticate’ action on. The output should now include Current allowed actions: Authenticate, with nothing else on that line.

  8. Enter Q to continue.

  9. When asked for a keysize, choose 4096. The same limitation from Step 4 in the first section applies, so ensure your card/YubiKey can support this key size.

  10. Enter an expiration date, just as before. You should probably keep this the same as the first one. If you choose a lower expiration date, your main private key will continue to function but your SSH authentication will break on this date.

  11. When you’re sure all of the information entered is correct, enter y at the Really create? (y/N) prompt to complete the process.

  12. Once the key is created, enter quit to leave the gpg prompt, and y at the prompt to save changes.

Your terminal should now look like this:

Secure Your GPG Key

Caution
If you fail to back up or otherwise secure your key, any hardware failure will lead to you being unable to access your Linode with this key. If you lock out password access through SSH, you’ll need to use Lish to regain access.

You should always have a backup of your private key in case something goes wrong and you end up locked out of everything that requires it. This private key, along with the instructions in this guide, will be enough to get your setup working again if you need to start afresh on a new computer.

  1. Back up your ~/.gnupg folder with the following command, replacing USB_DEVICE with the name of your device:

    This assumes you have a storage device mounted at /Volumes/USB_DEVICE/. Different operating systems may use different naming conventions for this path. You can safely ignore any Operation not supported on socket warnings that appear when you enter this command.

  2. Back up your private key, replacing key-id with the eight-character key ID for your private key:

  3. Back up your subkeys, replacing key-id with the eight-character key ID for each subkey:

If something bad happens and you lose your keys, you can re-import them by overwriting the ~/.gnupg directory with your copy, and using:

Be sure to replace key-file with the location of each of your files.

Export Your Public Key

If you’re working on a VM or offline machine, you’ll also need to export your public key to be reimported later:

Be sure to replace key-id with your own key ID.

You can reimport it with the ever-handy gpg2 --import key-file command.

Generate Trusted Private And Public Key For Yubikey For Windows

Move Your Key to a Smartcard or YubiKey (Optional)

Generate Trusted Private And Public Key For YubikeyNote
If you’re using a brand new YubiKey, you’ll need to enable OpenPGP Card / CCID Mode first. This can be done through the YubiKey Personalization Tool, or by running ykpersonalise -m82. ykpersonalise can be installed through your package manager.

Secure Your Card

It is assumed that you have already configured your card/YubiKey’s (herein referred to as ‘GPG device’) owner information. It is highly recommended that you secure your card before you start this section.

Note
Some of these commands may ask for a PIN or Admin PIN. The default PIN is usually 123456, and the default Admin PIN is usually 12345678. If these don’t work, contact the manufacturer or review online documentation.
  1. Plug in the device and execute:

  2. Enable admin commands:

  3. Enter the password change menu:

  4. Change the password to your device by selecting 2 - unblock PIN. This will unblock your PIN, and prompt you to change it. This PIN will be required every time you want to access your GPG key (e.g. every time you authenticate with SSH), and has a limit of eight characters.

  5. Change the admin PIN by selecting 3 - change Admin PIN. This PIN is required to make administrative changes, like in step 2, and has a limit of 6 characters. For optimum security, never store this PIN in a digital location, since it will be unnecessary for daily use of the YubiKey.

  6. Exit these menus by selecting Q and then typing quit.

For reference, your window should resemble the following. This example is abbreviated:

Transfer Your Subkey

  1. Enter the key edit menu from a normal command prompt, replacing key-id with your own key ID:

  2. Switch to the private key editor:

  3. Select only the authentication subkey:

    Remember, if you have more subkeys this command should be changed as appropriate.

  4. Transfer the key:

  5. Select (3) Authentication key to store your key on the third slot of the device. If this is not an option, ensure that you’ve selected the appropriate subkey.

  6. Enter your passphrase.

  7. Type save to exit this menu.

  8. If you’re working on a VM or offline machine, export the subkey stubs (pointers so GPG knows your subkeys are on the device):

    Be sure to substitute your own key ID for key-id. You can reimport these with an ordinary gpg2 --import <stub file> on your private machine.

After all this, your output should resemble the following:

Congratulations! You’ve successfully transferred your authentication subkey to your device.

Caution
If you weren’t using a VM or offline machine, back up your local copies of the private keys, delete them, and ensure that the rest of the keys are still on the card.

Serve Your GPG key Instead of an SSH key

In this section, we’ll configure your local machine so the connection between GPG and SSH works properly.

Return to your local machine, import all of the appropriate GPG keys and insert the appropriate GPG device. Install GPG if you don’t already have it on your local computer (e.g. if you performed all the above steps on a VM).

  1. Edit the ~/.bash_profile file (or similar shell startup file) to include:

    Linux:

    ~/.bash_profile

    OS X

    ~/.bash_profile

    This ensures that SSH can ‘see’ your GPG keys and automatically starts gpg-agent as needed.

  2. Edit or create ~/.gnupg/gpg-agent.conf:

    ~/.gnupg/gpg-agent.conf

    If you’re on OS X and previously installed GPGTools, you can also add the line:

    This allows you to use the PIN entry program provided by GPGTools.

  3. Restart the GPG agent:

What Is Public Key

Add the New Key to Your Linode

The steps from the previous sections will take your GPG keys and pipe them through SSH so they can be used for authentication. The result of this process is that you’ve created a new RSA public key for use with SSH authentication.

  1. On your local machine, extract the public key:

    You should see a long output of alphanumeric characters. If you see The agent has no identities, try the steps to restart the GPG agent from above.

  2. Copy the whole string of output, including ssh-rsa. If you see multiple strings beginning with ssh-rsa, copy the one that ends with cardno:. It might look like this:

  3. Paste this into a new file (for example, ~/gpg-key.pub) and save it.

  4. Copy the file to your Linode:

  5. Log into your Linode and append the key to the authorized_hosts file:

You’re done! Disconnect, and all new logins should now use your GPG key instead of a passphrase. This SSH key can also be used with GitHub, Bitbucket, other SSH-based Version Control Systems, or anywhere else that accepts SSH keys.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Join our Community

Please enable JavaScript to view the comments powered by Disqus.comments powered by Disqus

This guide is published under a CC BY-ND 4.0 license.

Yubikey, Smart Cards, OpenSC and GnuPG are pain in the ass to get working. Those snippets here sould help alleviate pain.

To reset and disable not used modes on Yubikey you need the ykman program

You can install it using those commands

Generate Trusted Private And Public Key For Yubikey

GnuPG usage only needs CCID mode to be enabled. FIDO mode can also be enabled for WebAuthn

Yubikey OpenPGP applet that is used by GnuPG can be configured with

Make sure that gnupg, pcscd and scdaemon are installed

GnuPG Smart Card stack looks something like this

Now we have to tell scdaemon to use pcsc interface instead of the default direct connect mode.

Under Ubuntu libpcsclite.so is in package called libpcsclite1.dpkg -L libpcsclite1 command can show the location of the lib.

GnuPG Trust Model

Turn on ssh like trust on first use (tofu)

After changing gpg configuration files, it's a good idea to restart gpg-agent.

If everything went well then running following command should show something like this

Debuging

Test if Yubikey is detected

pcsc-tools package contains pcsc_scan program that can be used to check that Yubikey is detected.

and then run

Now you should see Card inserted and removed events on your terminal when connectingand removing Yubikey.

Restart everything

Smart Card middleware

gpg-agent

Check the logs

Run journalctl in another terminal window and look for scdaemon log lines

If you see sharing violation messages then something else is probably trying to use the yubikey via opensc.Check getting-estonian-id-card-and-gnupg-scdaemon-yubikey-work-together

Switch from OpenSSH ssh-agent to GnuPG as ssh-agent

Temporarily

First get you need to get GnuPG agent-ssh-socket path

That should return something like this

And then you can set that path as SSH_AUTH_SOCK environment variable

After that ssh-add -l shoud show your Yubikey.

Permanent

Getting Estonian ID card and GnuPG scdaemon Yubikey work together.

Estonian ID card uses opensc project to access private keys on the smart card.Opensc also supports Yubikey and that will create conflicts with GnuPG scdaemon.

SSH KeyGen is a simple process that creates a public/private SSH Key-pair that can be used to securely access a virtual private server. Get started on Windows via. Mac os generate public ssh key. To generate the public/private key pair, enter this in the Command Prompt: ssh-keygen At the first prompt, “Enter file in which to save the key,” press Enter to save it in the default location.

To fix it you can just disable Yubikey in opensc.

To make coperation between opensc and scdaemon even better then you have to patch scdaemon touse shared access mode, Arch Linux wiki has a short paragraph about that here https://wiki.archlinux.org/index.php/GnuPG#Shared_access_with_pcscd.

gpg -k or gpg --list-keys - List stored public keys

gpg -K or gpg --list-private-keys - List all stored private keys, # means private key is unavailable, > means private key is on a smartcard

  1. Generate 2048bit RSA master key with Certify(Master) and Sign permissions, expire key after 2 years
  1. Add a 2048bit RSA encryption subkey that expires after 2 years

where master_key_fingerprint is a 40 char hex string shown when running gpg -K

man page says that you can use -e option to convert private and public keys to other formats, that seems to be wrong. Insteadyou can use -p option to request changing the password but not actually setting the password.

Symmetric Key

Monkeysphere project includes a pem2openpgp command that can be used to import ssh private keys to gnupg keyring.

Public Key Example

The imported key is stored without encryption, add it with those commands:

and then use passwd command and type the same password as your master key

After importing you can use normal gpg --edit-key command to change parameters on this key. GnuPG 2.1 also allows you to move the imported key to be one of your subkeys for authentication. https://security.stackexchange.com/a/160847

Move the key

  1. Get the imported key keygrip value gpg --with-keygrip -k
  2. gpg --expert --edit-key <master_key_id> where master_key_id is a 40 char hex string shown when running gpg -K
  3. type addkey
  4. select (13) Existing key
  5. Copy and Paste imported ssh key keygrip
  6. Toggle off all capabilities and enable authenticate capability and finish
  7. Set key valid time to 2 years with 2y
  8. Confirm key creation and type your master key password
  9. Type save to save and exit from edit menu

Generate Trusted Private And Public Key For Yubikey Free

Delete old public ssh key

This key is no longer needed

where ssh_key_id is a 40 char hex string shown when running gpg -K

Before moving private keys to yubikey you must make a backup of private keys so that when you lose or break your yubikeyyou could move the same keys to a new yubikey.

Exported keys are encrypted with your master password.

Its also a good idea to print your private keys on a paper because files can bitrot and become unusable after some time.

and then use keytocard command to move the primary key to card.Then select first sub key with key 1 and then move that to card with keytocard.Then unselect first key with command key and then select second subkey with key 2 and then do keytocard. After that save and you are done.

scdaemon with shared access for ubuntu 18.04https://d.arti.ee/scdaemon_2.2.4-1ubuntu1.2_amd64.deb

What do ssb and other mean in gpg --list-keys output

# after sec/ssb means that secret key is unavailable, maybe it was exported and then deleted

> after sec/ssb means that secret key is on a smartcard/yubikey