October 19, 2015 - Tom Hacohen

Using OpenPGP Keys For SSH Authentication

If you already use OpenPGP, there is no need for you to create an additional SSH key. You can just consolidate your identity and use the same key for SSH authentication. The main benefits that come to mind are:

  1. Preparing yourself for your eventual migration to using an OpenPGP smart card (hereby: SmartCard) like the YubiKey NEO.
  2. Having one less key to worry about.

The rest of this post assumes:

  1. You use GnuPG version 2.1 or later (run gpg --version to verify).
  2. You already have an OpenPGP key (plenty of tutorials online).
  3. You already use gpg-agent as your SSH agent (plenty of tutorials online).

Create an Authentication subkey

We first need to open the relevant key for editing in expert mode:

Now we are going to add a new authentication key:

Select (8) RSA (set your own capabilities).

Select (S), (E) and (A) until the current allowed actions contains only Authenticate, and then select (Q) to finish.

Select 2048, because as of now, this is the largest key size supported by the YubiKey and many other SmartCards, and is safe enough anyway.

Continue with setting expiration and following instructions. After the key has been generated run:

You will now see the same output as when we first ran gpg --expert --edit-key 7C477933 with the newly added key included:

Where A indicates this subkey is used for authentication.

Adding the key to the agent

There are two possible alternatives for using the newly generated key. Using a SmartCard or not.

Without a SmartCard

First we need to find our key’s keygrip, this can be done by running gpg -K --with-keygrip and locating our key: So for the new key in our example, this should look something like:

After that open ~/.gnupg/sshcontrol with your favourite editor, and append the keygrip found, as follows:

With a SmartCard

Important: This section explains how to move your private key to the SmartCard. This is not reversible, so please make sure you have a valid backup of the key before continuing.

This is very easy. First, let’s open the key for editing:

Run toggle to switch to secret key mode:

Choose the authentication key:

Move it to the card:

Select 3, because the key we chose is an authentication key, as denoted by the A in the usage field.

If you wish to also move the encryption key and signature key to the card, please repeat the previous stages for those too.

To finish, enter quit:

This is it, you now have your keys on your SmartCard, and they are ready to be used.

Using the key

Now we should have everything set up correctly. The only thing left to do is finding our public-key. Assuming everything works as expected, this is very easy:

This will list all of the keys loaded in your agent. If you use a SmartCard, look for the one with the comment that starts with cardno:, or if you don’t use a SmartCard, for the one with the comment (none). This is your public-key and you can use it like you would normally.


As you can see, this is useful, very easy to do and is required for using a SmartCard, a highly recommended practice.

Please let me know if you have spotted any mistakes or have any suggestions.


As originally posted on my blog.

Tom Hacohen

About Tom Hacohen

Tom has been using Linux since 2003. Previously a core developer and part of the leading team at SHR (Openmoko), he is currently a core developer for the EFL (www.enlightenment.org). He has also contributed to many other Open Source projects over the years. In 2010 he started working at Samsung's open source group on the Tizen Linux platform.

Image Credits: Rachael Towne

General / Linux / Open Source Infrastructure gnupg / openpgp / Security / smart card /

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments Protected by WP-SpamShield Anti-Spam