UX: How to upload my SSH key to YubiKey? #39
Comments
|
I think I may misunderstand what |
|
This plugin adds hardware token support to We don't currently have support for importing an existing key, but if we did, and added support for SSH keys, it would need to be using the same curve as above. We will therefore not support That being said, the plugin can use manually imported keys, so if you import your P256 key into one of the retired slots using a tool that can do that (Yubico's CLI tool can, IIRC their GUI tool can't), you should then be able to use Note that you can't use your SSH pubkey for encryption, it will be a specific recipient (which is necessary in order for the (There's separately rationale for the ability to import keys, as "enabling the key to be backed up outside the YubiKey", but I argue it's much better to instead just have multiple YKs and encrypt to all of them at once using a recipient file, and then add/remove YKs as necessary for rotation.) |
|
Thanks for your answer. I'm investigating this myself. Simply put I'm trying to do this: Allow ssh-agent/encryption/decryption using Use case: Suppose someone sends me encrypted file using https://github.com/Ciantic.keys with rage then I'd like to decrypt it with key stored in YubiKey. Mostly the confusing part is the YubiKey, with multiple tools and unhelpful errors. Not a fault of this program, the YubiKey is very unclear what is possible and what isn't. Edit: Oh yeah, I'm experimenting with SSH-ED25519 key, trying to upload it to PIV slot. |
This could work, if it contains a P256 SSH key and someone transforms that SSH key into the correct
Only recent YubiKeys (manufactured after - [ ] November 2019 IIRC) support curve25519, and I'm not sure whether they do so in the PIV applet. That's why we picked P256 instead. |
|
I've taken a look at the specification and it seems that PIV does not support curve25519, only P256 and P384. However, it does support RSA 1024/2048. The yubikey, according to this also does have a slot for RSA2048. I am not security expert by any means, and I have no clue if it is even possible to make àge work with RSA2048. I just wanted to point these two findings out! |
Related #174 |
|
Worth pointing out that the Yubico docs on the supported algorithms for the Yubikey 5's "PIV-compatible" smartcard functionality claim it supports Ed25519 from firmware version 5.7 onwards: The YubiKey 5 Series supports the following algorithms on the PIV smart card application.
Edit: literally what @pinpox was just pointing out. Note to self: read the related issues before posting 😄 |
What were you trying to do
Upload SSH key to YubiKey
What happened
I have no idea how to do it! I was pointed to here from elsewhere. Currently I have nice setup where I have SSH key in YubiKey using OpenPGP. I can generate SSH key using OpenPGP then make paper backup of it, store it to Yubikey and authenticate using pgp agent.
I'm trying to replicate this behavior with age/rage, but can't figure out how can I upload my SSH key to the YubiKey.
I suspect it's not possible to generate SSH key on my computer (to make backup of it) and store it to YubiKey. Maybe if that's the case it could be mentioned. If that is the case, I have to stick with OpenPGP generated SSH key, which can be uploaded using yubikey management tools.
The text was updated successfully, but these errors were encountered: