How to Store an SSH Key on a Yubikey

SSH keys suck. They are a file on the disk and you can easily move it to other machines instead of storing them in hardware where they can't be exfiltrated. Using a password to encrypt the private key is a viable option, but the UX for that is hot garbage. It's allegedly the future, so surely we MUST have some way to make this all better, right?

<Numa> >implying there is a way to make anything security related better

Luckily, there is actually something we can do for this! As of OpenSSH 8.2 (Feburary 14, 2020) you are able to store an SSH private key on a yubikey! Here's how to do it.

<Mara> This should work on other FIDO keys like Google's Titan, but we don't have access to one over here and as such haven't tested it. Your mileage may vary. We are told that it works with the Google Titan key that is handed out to Go contributors.

First install yubikey-manager (see here for more information, or run nix-shell -p yubikey-manager to run it without installing it on NixOS), plug in your yubikey and run ykman list:

$ ykman list
YubiKey 5C NFC (5.4.3) [OTP+FIDO+CCID] Serial: 4206942069

If you haven't set a PIN for the yubikey yet, follow this to set a PIN of your choice. Once you do this, you can generate a new SSH key with the following command:

ssh-keygen -t ed25519-sk -O resident

<Mara> If that fails, try ecdsa-sk instead! Some hardware keys may not support storing the key on the key itself.

Then enter in a super secret password (such as the Tongues you received as a kid when you were forced into learning the bible against your will) twice and then add that key to your agent with ssh-add -K. Then you can list your keys with ssh-add -L:

$ ssh-add -L
[email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKgGePSwpBuHUhrFCRLch9Usqi7L0fKtgTRnh6F/R+ruAAAABHNzaDo= [email protected]

Then you can copy this public key to GitHub or whatever and authenticate as normal. The private key is stored on your yubikey directly and you can add it with ssh-add -K. You can delete the ssh key stub at ~/.ssh/id_ed25519_sk and then your yubikey will be the only thing holding that key.

This article was posted on M05 27 2022. Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Series: howto

Tags: yubikey security

This post was WebMentioned at the following URLs:

• Storing SSH keys on the Yubikey is great, especially since it's easy to use across machines and it never gets exposed on a machine. I would recommend a backup on e.g. an encrypted USB or on a second Yubikey tho :)
• POG NEW DOMAIN LETS GOOOOOO
• How to Store an SSH Key on a Yubikey christine.website/blog/yubikey-s… #howto #yubikey #security
• <p><span class="h-card"><a href="https://pony.social/@cadey" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>cadey</span></a></span> I just wish the hardware tokens made it easier to store multiple keys (but yeah difficult with a single button interface)</p><p>I followed the opsec advice of "don't reuse keys" and now I have 70 different keys for different hosts and can't decide if it's better to have N different yubikeys I need to carry around or go back to a single key that gets reused everywhere.</p>
• <p>I think I just want FIDO for ssh; something that will only send the right key to the right host ever, based on requesting domain & on-key secrets (or something. idk.)</p>
• It's not really a very long article ^^
• thonk
• It's a stub from a past experiment: xeiaso.net/sw.js
• The cheap blue “security” yubikey can be used to store sk resident key too.
• You can use a PGP key as an SSH key, and you can generate a PGP key with `gpg` and, after backing up the key, run the keytocard gpg command to load the key onto the Yubikey. This is a DESTRUCTIVE operation so make sure you have backups of the key.
• Thanks for reminding me to do this!
• How to Store an SSH Key on a Yubikey christine.website/blog/yubikey-s… #howto #yubikey #security
• How to Store an SSH Key on a Yubikey christine.website/blog/yubikey-s… #howto #yubikey #security
• For the record, when I tried making a resident key on a Feitian token last year, it didn't work. Non resident keys work fine with them though, so it's worth trying that in case of problems, just need to keep the file on disk.
• first you need a really big knife
• Read original with better formatting here https://xeiaso.net/blog/yubikey-ssh-key-storage Text only version: SSH keys suck. They are a file on the disk and you can easily move it to other machines instead of storing them in hardware where they can't be exfiltrated. Using a password to encrypt the private key is a viable option, but the UX for that is hot garbage. It's allegedly the future, so surely we MUST have some way to make this all better, right? <Numa> implying there is a way to make anything security related better Luckily, there is actually something we can do for this! As of OpenSSH 8.2 (Feburary 14, 2020) you are able to store an SSH private key on a yubikey! Here's how to do it. Mara is hacker <Mara> This should work on other FIDO keys like Google's Titan, but we don't have access to one over here and as such haven't tested it. Your mileage may vary. We are told that it works with the Google Titan key that is handed out to Go contributors. First install yubikey-manager (see here for more information, or run nix-shell -p yubikey-manager to run it without installing it on NixOS), plug in your yubikey and run ykman list: $ ykman list YubiKey 5C NFC (5.4.3) [OTP+FIDO+CCID] Serial: 4206942069 If you haven't set a PIN for the yubikey yet, follow this to set a PIN of your choice. Once you do this, you can generate a new SSH key with the following command: ssh-keygen -t ed25519-sk -O resident Mara is hacker <Mara> If that fails, try ecdsa-sk instead! Some hardware keys may not support storing the key on the key itself. Then enter in a super secret password (such as the Tongues you received as a kid when you were forced into learning the bible against your will) twice and then add that key to your agent with ssh-add -K. Then you can list your keys with ssh-add -L: $ ssh-add -L [email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKgGePSwpBuHUhrFCRLch9Usqi7L0fKtgTRnh6F/R+ruAAAABHNzaDo= [email protected] Then you can copy this public key to GitHub or whatever and authenticate as normal. The private key is stored on your yubikey directly and you can add it with ssh-add -K. You can delete the ssh key stub at ~/.ssh/id_ed25519_sk and then your yubikey will be the only thing holding that key.
• 1. [__I disabled WiFi on the new Samsung fridge__](https://eattherich.club/@swaggboi/108382897807037127)\ [(395 comments)](https://news.ycombinator.com/item?id=31555629) 2. [__In praise of the humble Sheffield stand__](https://twitter.com/BrixtonHatter/status/1493299809574342659)\ [(204 comments)](https://news.ycombinator.com/item?id=31551854) 3. [__Algorithmic stablecoins are provably impossible without continuous funding__](https://fragileequilibrium.substack.com/p/algorithmic-stablecoins-are-provably)\ [(184 comments)](https://news.ycombinator.com/item?id=31553704) 4. [__Big money, nuclear subsidies, and systemic corruption__](https://thebulletin.org/2021/02/big-money-nuclear-subsidies-and-systemic-corruption/)\ [(121 comments)](https://news.ycombinator.com/item?id=31555938) 5. [__How to Store an SSH Key on a Yubikey__](https://xeiaso.net/blog/yubikey-ssh-key-storage)\ [(97 comments)](https://news.ycombinator.com/item?id=31556130) 6. [__A year with the Elgato Stream Deck__](https://sixcolors.com/post/2022/05/a-year-with-the-elgato-stream-deck/)\ [(94 comments)](https://news.ycombinator.com/item?id=31528895) 7. [__How to stop a robot vacuum from getting stuck on the laundry rack__](https://www.ctrl.blog/entry/robot-vacuum-drying-rack.html)\ [(92 comments)](https://news.ycombinator.com/item?id=31531954) 8. [__Flask Mega-Tutorial__](https://blog.miguelgrinberg.com/post/the-flask-mega-tutorial-part-i-hello-world)\ [(64 comments)](https://news.ycombinator.com/item?id=31556522) 9. [__Makeabetter.computer – Microgrants for projects that make computers better__](https://makeabetter.computer/)\ [(45 comments)](https://news.ycombinator.com/item?id=31557206) 10. [__A Decade of Dotfiles__](https://evanhahn.com/a-decade-of-dotfiles/)\ [(38 comments)](https://news.ycombinator.com/item?id=31557430) 11. [__Xournalpp++ – closs-platform, open source note taking software__](https://xournalpp.github.io/)\ [(34 comments)](https://news.ycombinator.com/item?id=31557140) 12. [__Why smartwatch-measured blood pressure still isn’t ‘ready for primetime’__](https://www.theverge.com/2021/9/16/22677381/smartwatch-blood-pressure-samsung-fitbit-apple)\ [(31 comments)](https://news.ycombinator.com/item?id=31541145) 13. [__Adminer: Database management in a single PHP file__](https://github.com/vrana/adminer)\ [(28 comments)](https://news.ycombinator.com/item?id=31554753) 14. [__Goodbye PNaCl, Hello WebAssembly__](https://blog.chromium.org/2017/05/goodbye-pnacl-hello-webassembly.html)\ [(23 comments)](https://news.ycombinator.com/item?id=31555347) 15. [__Show HN: Top Links from Hacker News, Reddit, Techmeme, PH on a Single Page__](https://alltoplinks.com/)\ [(20 comments)](https://news.ycombinator.com/item?id=31556961) 16. [__Unity Systems Home Manager Support__](https://www.unitysystemshomemanager.com/)\ [(18 comments)](https://news.ycombinator.com/item?id=31555911) 17. [__Disputing the Dogmas of Surveillance Advertising__](https://www.ftc.gov/system/files/documents/public_statements/1597050/commissioner_slaughter_national_advertising_division_10-1-2021_keynote_address.pdf)\ [(13 comments)](https://news.ycombinator.com/item?id=31557331) 18. [__Conway's Game of Life in APL in Forth__](https://github.com/chmykh/apl-life)\ [(13 comments)](https://news.ycombinator.com/item?id=31537648) 19. [__Solving Problems with Decomposition__](https://www.erichgrunewald.com/posts/decomposition-and-problem-solving/)\ [(9 comments)](https://news.ycombinator.com/item?id=31556758) 20. [__Scaleway price 'harmonization'__](item?id=31557105)\ [(9 comments)](https://news.ycombinator.com/item?id=31557105) 21. [__Hacking Detergent DRM for 98% Cost Saving__](https://github.com/dekuNukem/bob_cassette_rewinder/blob/master/README.md)\ [(8 comments)](https://news.ycombinator.com/item?id=31558525) 22. [__Sorcerer’s Apprentice: Looking for demons in a disenchanted world__](https://harpers.org/archive/2022/06/sorcerers-apprentice-looking-for-demons/)\ [(5 comments)](https://news.ycombinator.com/item?id=31545186) 23. [__Chaos: The Problem with Quantum Mechanics__](http://backreaction.blogspot.com/2022/05/chaos-real-problem-with-quantum.html)\ [(5 comments)](https://news.ycombinator.com/item?id=31540091) 24. [__Implementing gradient explanations for a HuggingFace text classification model__](https://victordibia.com/blog/explain-bert-classification/)\ [(4 comments)](https://news.ycombinator.com/item?id=31555145) 25. [__Philosophy’s Gentle Giant__](https://www.newstatesman.com/ideas/2022/05/philosophys-gentle-giant)\ [(2 comments)](https://news.ycombinator.com/item?id=31546766) 26. [__AssemblyAI (YC S17) is hiring senior engineers to build ML systems at scale__](item?id=31558533)\ [(0 comments)](https://news.ycombinator.com/item?id=31558533) 27. [__Grothendieck's Approach to Equality [pdf]__](https://www.ma.ic.ac.uk/~buzzard/xena/pdfs/grothendieck_equality.pdf)\ [(0 comments)](https://news.ycombinator.com/item?id=31557361) 28. [__The Underground Library__](https://www.historytoday.com/archive/history-matters/underground-library)\ [(0 comments)](https://news.ycombinator.com/item?id=31543354) 29. [__Alexa, why have you charged me £2 to say the Hail Mary?__](https://www.theguardian.com/money/2022/may/28/alexa-daily-prayers-voice-command-amazon-subscription)\ [(0 comments)](https://news.ycombinator.com/item?id=31558530) 30. [__Sage and a glimpse of group computing from before the PC__](https://interconnected.org/home/2021/12/21/sage)\ [(0 comments)](https://news.ycombinator.com/item?id=31535139)
• <p><span class="h-card"><a href="https://pony.social/@cadey" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>cadey</span></a></span> this is cool stuff. Today I learned that’s possible, thank you!</p>

The art for Mara was drawn by Selicre.

The art for Cadey was drawn by ArtZora Studios.