This is probably the best way to store SSH keys on the Yubikey 5, this allows you to move around freely without needing to store private key files directly on every file system you want to connect from. There are some other possible methods also e.g GPG or PKCS11.
This method is only possible since 2020-02-14, OpenSSH 8.2 was released to add FIDO2/U2F hardware authenticator support.
- The newer FIDO/U2F key types are only supported, ecdsa-sk and ed25519-sk (sk = security key)
- The Yubikey 5 should be able to store up to 25 keys. (Alternatively use Solokeys for 50 keys)
- Storing both parts of a key on a FIDO token increases the likelihood of an attacker being able to use a stolen token device. We will add a PIN to help mitigate this, you can also further add a passphrase to your key.
- Git Bash required as native OpenSSH built into Windows 10 doesn't support FIDO2 yet, among many other popular SSH clients.
- Yubikey manager [https://www.yubico.com/support/download/yubikey-manager]
- Git Bash (make sure it is a latest version so openSSH >= 8.2 which is required for FIDO2/U2F support) [https://git-scm.com/downloads]
- Right-Click Yubikey Manager -> Run as Administrator (This is required for FIDO2)
- Applications -> FIDO2
- Change PIN
- Right-Click Git Bash -> Run as Administrator (This is required otherwise you get invalid format error later)
- (Git Bash)
ssh-keygen -t ed25519-sk -O resident - (Git Bash)
ssh-copy-id -i filename.pub user@serverip
- (Git Bash)
eval "$(ssh-agent -s)"
(Windows only thing on Git Bash)
- (Git Bash)
ssh-add -K
This loads all resident keys stored on the Yubikey into the ssh-agent directly without writing them to the filesystem, you will be prompted for the PIN and touch. (note if on Apple MAC then the -K flag means keychain which is different)
- (Git Bash)
ssh user@server
- ssh-keygen -K ( Download all private / public keys stored on Yubikey )