Jan-Philipp Litza

Yubikey, GPG and SSH 21. October 2015

Today a small letter from Great Britain arrived: My new Yubikey NEO! ☺ When Yubico announced that they would be giving a 20% discount for Github users a few weeks ago, I decided to finally order this hardware token capable of (among other cool things) acting as a GPG smartcard via USB or NFC. Advantages of a hardware security token are obvious: The keys cannot be extracted and it can be used with whatever device has a USB port or NFC module.

The first pitfall and kind of disappointment was that the Yubikey NEO only supports RSA with 2048 bits. This meant that I couldn’t transfer my primary key to the device, as it is 4096 bits long; neither any of the subkeys it had at that time. But thanks to the geniuses who designed OpenPGP, the subkeys of a key are exchangeable without loosing the signatures! So I generated a few new subkeys, revoked old ones and was all set.

The big disadvantage of this move: Nobody will update my key. Executing gpg --refresh-keys seems to be a very rare action. I notice this at least yearly, because my key always expires after a year and is renewed if I still use it. And every time a couple of people tell me that my key expired. Yes, it did, and I renewed it, damn it! So until my old encryption key expires (2015-12-02, that is), everybody will keep using it. ☹

However, one of the things I found most interesting was combining the Yubikey and GPG with SSH public key authentication. This enables me to have another subkey with the “authentication” flag set to log in to remote machines. Even better: Everybody who wants to grant me access to their machine can simply1 extract the necessary public key information from my GPG key, and trust that allowing that key will really only grant access to me thanks to the web of trust!

So now what I am still missing is an ssh-agent and a compatible client for Android. OpenKeychain does a great job as a gpg-agent and even supports the Yubikey NEO, it only lacks authentication support (yet).

  1. gpg2 --export-ssh-key jplitza (with a recent enough version of GnuPG)