Cadey is coffee
<Cadey> Hello! Thank you for visiting my website. You seem to be using an ad-blocker. I understand why you do this, but I'd really appreciate if it you would turn it off for my website. These ads help pay for running the website and are done by Ethical Ads. I do not receive detailed analytics on the ads and from what I understand neither does Ethical Ads. If you don't want to disable your ad blocker, please consider donating on Patreon or sending some extra cash to xeiaso.eth or 0xeA223Ca8968Ca59e0Bc79Ba331c2F6f636A3fB82. It helps fund the website's hosting bills and pay for the expensive technical editor that I use for my longer articles. Thanks and be well!

How to Store an SSH Key on a Yubikey

Read time in minutes: 3

SSH keys suck. They are a file on the disk and you can easily move it to other machines instead of storing them in hardware where they can't be exfiltrated. Using a password to encrypt the private key is a viable option, but the UX for that is hot garbage. It's allegedly the future, so surely we MUST have some way to make this all better, right?

Numa is delet
<Numa> >implying there is a way to make anything security related better

Luckily, there is actually something we can do for this! As of OpenSSH 8.2 (Feburary 14, 2020) you are able to store an SSH private key on a yubikey! Here's how to do it.

Mara is hacker
<Mara> This should work on other FIDO keys like Google's Titan, but we don't have access to one over here and as such haven't tested it. Your mileage may vary. We are told that it works with the Google Titan key that is handed out to Go contributors.

First install yubikey-manager (see here for more information, or run nix-shell -p yubikey-manager to run it without installing it on NixOS), plug in your yubikey and run ykman list:

$ ykman list
YubiKey 5C NFC (5.4.3) [OTP+FIDO+CCID] Serial: 4206942069

If you haven't set a PIN for the yubikey yet, follow this to set a PIN of your choice. Once you do this, you can generate a new SSH key with the following command:

ssh-keygen -t ed25519-sk -O resident

Mara is hacker
<Mara> If that fails, try ecdsa-sk instead! Some hardware keys may not support storing the key on the key itself.

Then enter in a super secret password (such as the Tongues you received as a kid when you were forced into learning the bible against your will) twice and then add that key to your agent with ssh-add -K. Then you can list your keys with ssh-add -L:

$ ssh-add -L AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKgGePSwpBuHUhrFCRLch9Usqi7L0fKtgTRnh6F/R+ruAAAABHNzaDo= cadey@shachi

Then you can copy this public key to GitHub or whatever and authenticate as normal. The private key is stored on your yubikey directly and you can add it with ssh-add -K. You can delete the ssh key stub at ~/.ssh/id_ed25519_sk and then your yubikey will be the only thing holding that key.

This article was posted on M05 27 2022. Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Series: howto

Tags: yubikey security

The art for Mara was drawn by Selicre.

The art for Cadey was drawn by ArtZora Studios.

Some of the art for Aoi was drawn by @Sandra_Thomas01.