Import my SSH key as GPG sub-key to use for SSH authentication

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite












I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.



I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.



Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something it uses my subkey and uses gpg agent to ask for the passphrase?



Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.



Is it possible? (I know they are different format, but that's really all I know)










share|improve this question

























    up vote
    3
    down vote

    favorite












    I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.



    I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.



    Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something it uses my subkey and uses gpg agent to ask for the passphrase?



    Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.



    Is it possible? (I know they are different format, but that's really all I know)










    share|improve this question























      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.



      I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.



      Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something it uses my subkey and uses gpg agent to ask for the passphrase?



      Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.



      Is it possible? (I know they are different format, but that's really all I know)










      share|improve this question













      I recently created a PGP key to sign my commits and it's working properly. I also discovered that gpg integrates better with my O.S. (Kubuntu) than ssh-agent.



      I'm lazy and would like to avoid having to replace my SSH key in all the various servers I've access to.



      Is there any option for me to import my existing SSH key as a subkey of my PGP key and then run gpg agent with ssh-agent support so that when I run ssh something it uses my subkey and uses gpg agent to ask for the passphrase?



      Ideally I supply the passhprase only once, for my main PGP key and then whenever I commit or login through ssh, it uses the right one.



      Is it possible? (I know they are different format, but that's really all I know)







      ssh gpg






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jun 23 '17 at 3:07









      Fire-Dragon-DoL

      1164




      1164




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote













          Found an easy approach. You need pem2openpgp utility from monkeysphere project and gpg2's ability to import existing key as subkey.



          First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.



          $ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import


          Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K (I set TEMP_USERID to TEST). Also write down keygrip of newly imported key:



          $ gpg2 -K --with-keygrip $TEMP_USERID
          sec rsa4096 2018-03-02 [C]
          21C766CAC691F395D640E8207E9F9F883D1E49D8
          Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
          uid [ unknown] TEST


          Now use gpg2 --expert --edit-key on your master key and import above key as your subkey:



          $ gpg2 --expert --edit-key $YOURUSERID
          gpg> addkey
          ......
          (13) Existing key
          Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
          ......


          gpg2 will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).



          After this you should have the imported SSH key as your master key's subkey. Check it:



          $ gpg2 -K $YOURUSERID --with-keygrip
          sec rsa4096 2016-02-02 [SC]
          ......
          uid [ 绝对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
          ......
          ssb rsa4096 2018-02-21 [A]
          Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E


          You can use gpg2 --export-ssh-key to verify the imported subkey is indeed the same as original SSH key.



          Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID also deletes imported subkey.



          My solution is to backup private keys in ~/.gnupg/private-keys-v1.d and move it back after gpg2 removed imported subkey.



          I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808






          share|improve this answer



























            up vote
            1
            down vote













            All that you need:



            export GPG_TTY=$(tty)
            export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
            ssh-add ~/.ssh/id_rsa



            Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup.



            Now you can do an SSH login for testing.



            After all, remember to add the Environments to your profile, like .profile or ~/.bashrc.




            (Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/ and with keygrip as its name, which can be used to be added as a subkey.



            Reference:



            https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html



            https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html





            share








            New contributor




            King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.

















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "106"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f372879%2fimport-my-ssh-key-as-gpg-sub-key-to-use-for-ssh-authentication%23new-answer', 'question_page');

              );

              Post as a guest






























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              3
              down vote













              Found an easy approach. You need pem2openpgp utility from monkeysphere project and gpg2's ability to import existing key as subkey.



              First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.



              $ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import


              Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K (I set TEMP_USERID to TEST). Also write down keygrip of newly imported key:



              $ gpg2 -K --with-keygrip $TEMP_USERID
              sec rsa4096 2018-03-02 [C]
              21C766CAC691F395D640E8207E9F9F883D1E49D8
              Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
              uid [ unknown] TEST


              Now use gpg2 --expert --edit-key on your master key and import above key as your subkey:



              $ gpg2 --expert --edit-key $YOURUSERID
              gpg> addkey
              ......
              (13) Existing key
              Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
              ......


              gpg2 will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).



              After this you should have the imported SSH key as your master key's subkey. Check it:



              $ gpg2 -K $YOURUSERID --with-keygrip
              sec rsa4096 2016-02-02 [SC]
              ......
              uid [ 绝对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
              ......
              ssb rsa4096 2018-02-21 [A]
              Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E


              You can use gpg2 --export-ssh-key to verify the imported subkey is indeed the same as original SSH key.



              Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID also deletes imported subkey.



              My solution is to backup private keys in ~/.gnupg/private-keys-v1.d and move it back after gpg2 removed imported subkey.



              I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808






              share|improve this answer
























                up vote
                3
                down vote













                Found an easy approach. You need pem2openpgp utility from monkeysphere project and gpg2's ability to import existing key as subkey.



                First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.



                $ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import


                Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K (I set TEMP_USERID to TEST). Also write down keygrip of newly imported key:



                $ gpg2 -K --with-keygrip $TEMP_USERID
                sec rsa4096 2018-03-02 [C]
                21C766CAC691F395D640E8207E9F9F883D1E49D8
                Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
                uid [ unknown] TEST


                Now use gpg2 --expert --edit-key on your master key and import above key as your subkey:



                $ gpg2 --expert --edit-key $YOURUSERID
                gpg> addkey
                ......
                (13) Existing key
                Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
                ......


                gpg2 will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).



                After this you should have the imported SSH key as your master key's subkey. Check it:



                $ gpg2 -K $YOURUSERID --with-keygrip
                sec rsa4096 2016-02-02 [SC]
                ......
                uid [ 绝对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
                ......
                ssb rsa4096 2018-02-21 [A]
                Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E


                You can use gpg2 --export-ssh-key to verify the imported subkey is indeed the same as original SSH key.



                Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID also deletes imported subkey.



                My solution is to backup private keys in ~/.gnupg/private-keys-v1.d and move it back after gpg2 removed imported subkey.



                I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808






                share|improve this answer






















                  up vote
                  3
                  down vote










                  up vote
                  3
                  down vote









                  Found an easy approach. You need pem2openpgp utility from monkeysphere project and gpg2's ability to import existing key as subkey.



                  First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.



                  $ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import


                  Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K (I set TEMP_USERID to TEST). Also write down keygrip of newly imported key:



                  $ gpg2 -K --with-keygrip $TEMP_USERID
                  sec rsa4096 2018-03-02 [C]
                  21C766CAC691F395D640E8207E9F9F883D1E49D8
                  Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
                  uid [ unknown] TEST


                  Now use gpg2 --expert --edit-key on your master key and import above key as your subkey:



                  $ gpg2 --expert --edit-key $YOURUSERID
                  gpg> addkey
                  ......
                  (13) Existing key
                  Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
                  ......


                  gpg2 will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).



                  After this you should have the imported SSH key as your master key's subkey. Check it:



                  $ gpg2 -K $YOURUSERID --with-keygrip
                  sec rsa4096 2016-02-02 [SC]
                  ......
                  uid [ 绝对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
                  ......
                  ssb rsa4096 2018-02-21 [A]
                  Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E


                  You can use gpg2 --export-ssh-key to verify the imported subkey is indeed the same as original SSH key.



                  Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID also deletes imported subkey.



                  My solution is to backup private keys in ~/.gnupg/private-keys-v1.d and move it back after gpg2 removed imported subkey.



                  I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808






                  share|improve this answer












                  Found an easy approach. You need pem2openpgp utility from monkeysphere project and gpg2's ability to import existing key as subkey.



                  First convert SSH key to OpenPGP format. You have to privode a new user ID as required by GPG.



                  $ pem2openpgp $TEMP_USERID < .ssh/id_rsa | gpg2 --import


                  Now you have a new user ID with your SSH key as master key. You can check it with gpg2 -K (I set TEMP_USERID to TEST). Also write down keygrip of newly imported key:



                  $ gpg2 -K --with-keygrip $TEMP_USERID
                  sec rsa4096 2018-03-02 [C]
                  21C766CAC691F395D640E8207E9F9F883D1E49D8
                  Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E
                  uid [ unknown] TEST


                  Now use gpg2 --expert --edit-key on your master key and import above key as your subkey:



                  $ gpg2 --expert --edit-key $YOURUSERID
                  gpg> addkey
                  ......
                  (13) Existing key
                  Enter the keygrip: AAB27E63622E87B27AC34293EDF52C3AB016CA2E
                  ......


                  gpg2 will ask you lots of questions as usual. Remember to toggle correct key capabilities (sign: off, encrypt: off, auth: on).



                  After this you should have the imported SSH key as your master key's subkey. Check it:



                  $ gpg2 -K $YOURUSERID --with-keygrip
                  sec rsa4096 2016-02-02 [SC]
                  ......
                  uid [ 绝对 ] CUI Hao (cvhc) <cuihao.leo@gmail.com>
                  ......
                  ssb rsa4096 2018-02-21 [A]
                  Keygrip = AAB27E63622E87B27AC34293EDF52C3AB016CA2E


                  You can use gpg2 --export-ssh-key to verify the imported subkey is indeed the same as original SSH key.



                  Note that the temporary user id used for key import is still in your keyring. You must delete it manually. GnuPG prevent you from removing public key / user id without deleting corresponding private keys. However, since the temporary user and your imported subkey share shares the same private key, gpg2 --delete-secret-keys $TEMP_USERID also deletes imported subkey.



                  My solution is to backup private keys in ~/.gnupg/private-keys-v1.d and move it back after gpg2 removed imported subkey.



                  I submit a feature request to ask GnuPG for an option to delete the public key without affecting private key: https://dev.gnupg.org/T3808







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Mar 2 at 3:02









                  cuihao

                  464




                  464






















                      up vote
                      1
                      down vote













                      All that you need:



                      export GPG_TTY=$(tty)
                      export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
                      ssh-add ~/.ssh/id_rsa



                      Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup.



                      Now you can do an SSH login for testing.



                      After all, remember to add the Environments to your profile, like .profile or ~/.bashrc.




                      (Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/ and with keygrip as its name, which can be used to be added as a subkey.



                      Reference:



                      https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html



                      https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html





                      share








                      New contributor




                      King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.





















                        up vote
                        1
                        down vote













                        All that you need:



                        export GPG_TTY=$(tty)
                        export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
                        ssh-add ~/.ssh/id_rsa



                        Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup.



                        Now you can do an SSH login for testing.



                        After all, remember to add the Environments to your profile, like .profile or ~/.bashrc.




                        (Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/ and with keygrip as its name, which can be used to be added as a subkey.



                        Reference:



                        https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html



                        https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html





                        share








                        New contributor




                        King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.



















                          up vote
                          1
                          down vote










                          up vote
                          1
                          down vote









                          All that you need:



                          export GPG_TTY=$(tty)
                          export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
                          ssh-add ~/.ssh/id_rsa



                          Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup.



                          Now you can do an SSH login for testing.



                          After all, remember to add the Environments to your profile, like .profile or ~/.bashrc.




                          (Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/ and with keygrip as its name, which can be used to be added as a subkey.



                          Reference:



                          https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html



                          https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html





                          share








                          New contributor




                          King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          All that you need:



                          export GPG_TTY=$(tty)
                          export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
                          ssh-add ~/.ssh/id_rsa



                          Then feel free to remove the files: mv ~/.ssh/id_rsa.* /path/to/backup.



                          Now you can do an SSH login for testing.



                          After all, remember to add the Environments to your profile, like .profile or ~/.bashrc.




                          (Ps:You can find the ssh key(in gpg format) exists in ~/.gnupg/private-keys-v1.d/ and with keygrip as its name, which can be used to be added as a subkey.



                          Reference:



                          https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html



                          https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html






                          share








                          New contributor




                          King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.








                          share


                          share






                          New contributor




                          King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          answered 9 mins ago









                          King's Way

                          111




                          111




                          New contributor




                          King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.





                          New contributor





                          King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.






                          King's Way is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.



























                               

                              draft saved


                              draft discarded















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f372879%2fimport-my-ssh-key-as-gpg-sub-key-to-use-for-ssh-authentication%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Popular posts from this blog

                              How to check contact read email or not when send email to Individual?

                              Displaying single band from multi-band raster using QGIS

                              How many registers does an x86_64 CPU actually have?