Import my SSH key as GPG sub-key to use for SSH authentication
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.
I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.
Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something it uses my subkey and uses gpg agent to ask for the passphrase?
Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.
Is it possible? (I know they are different format, but that's really all I know)
ssh gpg
asked Jun 23 '17 at 3:07
Fire-Dragon-DoL
1164
add a comment |Â
up vote
3
down vote
favorite
I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.
I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.
Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something it uses my subkey and uses gpg agent to ask for the passphrase?
Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.
Is it possible? (I know they are different format, but that's really all I know)
ssh gpg
asked Jun 23 '17 at 3:07
Fire-Dragon-DoL
1164
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.
I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.
Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something it uses my subkey and uses gpg agent to ask for the passphrase?
Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.
Is it possible? (I know they are different format, but that's really all I know)
ssh gpg
asked Jun 23 '17 at 3:07
Fire-Dragon-DoL
1164
I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.
I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.
Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something it uses my subkey and uses gpg agent to ask for the passphrase?
Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.
Is it possible? (I know they are different format, but that's really all I know)
ssh gpg
ssh gpg
asked Jun 23 '17 at 3:07
Fire-Dragon-DoL
1164
asked Jun 23 '17 at 3:07
Fire-Dragon-DoL
1164
asked Jun 23 '17 at 3:07
Fire-Dragon-DoL
1164
asked Jun 23 '17 at 3:07
Fire-Dragon-DoL
1164
asked Jun 23 '17 at 3:07
Fire-Dragon-DoL
1164
1164
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
3
down vote
Found an easy approach. You need pem2openpgp utility from monkeysphere project and gpg2's ability to import existing key as subkey.
First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.
$ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import
Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K (I set TEMP_USERID to TEST). Also write down keygrip of newly imported key:
$ gpg2 -K --with-keygrip $TEMP_USERID
sec rsa4096 2018-03-02 [C]
21C766CAC691F395D640E8207E9F9F883D1E49D8
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
uid [ unknown] TEST
Now use gpg2 --expert --edit-key on your master key and import above key as your subkey:
$ gpg2 --expert --edit-key $YOURUSERID
gpg> addkey
......
(13) Existing key
Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
......
gpg2 will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).
After this you should have the imported SSH key as your master key's subkey. Check it:
$ gpg2 -K $YOURUSERID --with-keygrip
sec rsa4096 2016-02-02 [SC]
......
uid [ ç»Â对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
......
ssb rsa4096 2018-02-21 [A]
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
You can use gpg2 --export-ssh-key to verify the imported subkey is indeed the same as original SSH key.
Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID also deletes imported subkey.
My solution is to backup private keys in ~/.gnupg/private-keys-v1.d and move it back after gpg2 removed imported subkey.
I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808
answered Mar 2 at 3:02
cuihao
464
add a comment |Â
up vote
1
down vote
All that you need:
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add ~/.ssh/id_rsa
Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup.
Now you can do an SSH login for testing.
After all, remember to add the Environments to your profile, like .profile or ~/.bashrc.
(Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/ and with keygrip as its name, which can be used to be added as a subkey.
Reference:
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
answered 9 mins ago
King's Way
111
New contributor
King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
Found an easy approach. You need pem2openpgp utility from monkeysphere project and gpg2's ability to import existing key as subkey.
First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.
$ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import
Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K (I set TEMP_USERID to TEST). Also write down keygrip of newly imported key:
$ gpg2 -K --with-keygrip $TEMP_USERID
sec rsa4096 2018-03-02 [C]
21C766CAC691F395D640E8207E9F9F883D1E49D8
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
uid [ unknown] TEST
Now use gpg2 --expert --edit-key on your master key and import above key as your subkey:
$ gpg2 --expert --edit-key $YOURUSERID
gpg> addkey
......
(13) Existing key
Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
......
gpg2 will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).
After this you should have the imported SSH key as your master key's subkey. Check it:
$ gpg2 -K $YOURUSERID --with-keygrip
sec rsa4096 2016-02-02 [SC]
......
uid [ ç»Â对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
......
ssb rsa4096 2018-02-21 [A]
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
You can use gpg2 --export-ssh-key to verify the imported subkey is indeed the same as original SSH key.
Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID also deletes imported subkey.
My solution is to backup private keys in ~/.gnupg/private-keys-v1.d and move it back after gpg2 removed imported subkey.
I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808
answered Mar 2 at 3:02
cuihao
464
add a comment |Â
up vote
3
down vote
Found an easy approach. You need pem2openpgp utility from monkeysphere project and gpg2's ability to import existing key as subkey.
First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.
$ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import
Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K (I set TEMP_USERID to TEST). Also write down keygrip of newly imported key:
$ gpg2 -K --with-keygrip $TEMP_USERID
sec rsa4096 2018-03-02 [C]
21C766CAC691F395D640E8207E9F9F883D1E49D8
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
uid [ unknown] TEST
Now use gpg2 --expert --edit-key on your master key and import above key as your subkey:
$ gpg2 --expert --edit-key $YOURUSERID
gpg> addkey
......
(13) Existing key
Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
......
gpg2 will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).
After this you should have the imported SSH key as your master key's subkey. Check it:
$ gpg2 -K $YOURUSERID --with-keygrip
sec rsa4096 2016-02-02 [SC]
......
uid [ ç»Â对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
......
ssb rsa4096 2018-02-21 [A]
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
You can use gpg2 --export-ssh-key to verify the imported subkey is indeed the same as original SSH key.
Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID also deletes imported subkey.
My solution is to backup private keys in ~/.gnupg/private-keys-v1.d and move it back after gpg2 removed imported subkey.
I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808
answered Mar 2 at 3:02
cuihao
464
add a comment |Â
up vote
3
down vote
up vote
3
down vote
Found an easy approach. You need pem2openpgp utility from monkeysphere project and gpg2's ability to import existing key as subkey.
First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.
$ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import
Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K (I set TEMP_USERID to TEST). Also write down keygrip of newly imported key:
$ gpg2 -K --with-keygrip $TEMP_USERID
sec rsa4096 2018-03-02 [C]
21C766CAC691F395D640E8207E9F9F883D1E49D8
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
uid [ unknown] TEST
Now use gpg2 --expert --edit-key on your master key and import above key as your subkey:
$ gpg2 --expert --edit-key $YOURUSERID
gpg> addkey
......
(13) Existing key
Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
......
gpg2 will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).
After this you should have the imported SSH key as your master key's subkey. Check it:
$ gpg2 -K $YOURUSERID --with-keygrip
sec rsa4096 2016-02-02 [SC]
......
uid [ ç»Â对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
......
ssb rsa4096 2018-02-21 [A]
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
You can use gpg2 --export-ssh-key to verify the imported subkey is indeed the same as original SSH key.
Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID also deletes imported subkey.
My solution is to backup private keys in ~/.gnupg/private-keys-v1.d and move it back after gpg2 removed imported subkey.
I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808
answered Mar 2 at 3:02
cuihao
464
Found an easy approach. You need pem2openpgp utility from monkeysphere project and gpg2's ability to import existing key as subkey.
First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.
$ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import
Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K (I set TEMP_USERID to TEST). Also write down keygrip of newly imported key:
$ gpg2 -K --with-keygrip $TEMP_USERID
sec rsa4096 2018-03-02 [C]
21C766CAC691F395D640E8207E9F9F883D1E49D8
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
uid [ unknown] TEST
Now use gpg2 --expert --edit-key on your master key and import above key as your subkey:
$ gpg2 --expert --edit-key $YOURUSERID
gpg> addkey
......
(13) Existing key
Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
......
gpg2 will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).
After this you should have the imported SSH key as your master key's subkey. Check it:
$ gpg2 -K $YOURUSERID --with-keygrip
sec rsa4096 2016-02-02 [SC]
......
uid [ ç»Â对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
......
ssb rsa4096 2018-02-21 [A]
Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
You can use gpg2 --export-ssh-key to verify the imported subkey is indeed the same as original SSH key.
Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID also deletes imported subkey.
My solution is to backup private keys in ~/.gnupg/private-keys-v1.d and move it back after gpg2 removed imported subkey.
I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808
answered Mar 2 at 3:02
cuihao
464
answered Mar 2 at 3:02
cuihao
464
answered Mar 2 at 3:02
cuihao
464
answered Mar 2 at 3:02
cuihao
464
464
add a comment |Â
add a comment |Â
up vote
1
down vote
All that you need:
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add ~/.ssh/id_rsa
Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup.
Now you can do an SSH login for testing.
After all, remember to add the Environments to your profile, like .profile or ~/.bashrc.
(Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/ and with keygrip as its name, which can be used to be added as a subkey.
Reference:
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
answered 9 mins ago
King's Way
111
New contributor
King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
1
down vote
All that you need:
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add ~/.ssh/id_rsa
Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup.
Now you can do an SSH login for testing.
After all, remember to add the Environments to your profile, like .profile or ~/.bashrc.
(Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/ and with keygrip as its name, which can be used to be added as a subkey.
Reference:
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
answered 9 mins ago
King's Way
111
New contributor
King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
1
down vote
up vote
1
down vote
All that you need:
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add ~/.ssh/id_rsa
Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup.
Now you can do an SSH login for testing.
After all, remember to add the Environments to your profile, like .profile or ~/.bashrc.
(Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/ and with keygrip as its name, which can be used to be added as a subkey.
Reference:
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
answered 9 mins ago
King's Way
111
New contributor
King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
All that you need:
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
ssh-add ~/.ssh/id_rsa
Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup.
Now you can do an SSH login for testing.
After all, remember to add the Environments to your profile, like .profile or ~/.bashrc.
(Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/ and with keygrip as its name, which can be used to be added as a subkey.
Reference:
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html
answered 9 mins ago
King's Way
111
New contributor
King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 9 mins ago
King's Way
111
New contributor
King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 9 mins ago
King's Way
111
answered 9 mins ago
King's Way
111
111
New contributor
King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f372879%2fimport-my-ssh-key-as-gpg-sub-key-to-use-for-ssh-authentication%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
