Skip to content

Instantly share code, notes, and snippets.

Last active June 3, 2023 19:03
  • Star 27 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Use my Yubikey with GPG keys to SSH with a guest computer (OSX or Windows)

Great great documentation about all this (so much better):

Using Yubikey (PIV on osx, etc.)

Documentation for PIV:

To manage the certificates:

Using GPG key

Personnalization tool :

You have to install GPG of course ;).

Very good guide here:

OSX / Linux


Read the key info to be sure the card is connected:

$ gpg2 --card-status

Then load the public key if it is not available online. If you use, your key is available online using the keybase keys server.

$ gpg2 --import < key.asc 

Fetch the private key on the smartcard:

It will download the public key if you don't have it already.

$ gpg2 --card-edit
gpg/card> fetch

Then run the GPG Agent:

killall ssh-agent gpg-agent
eval $(gpg-agent --daemon --enable-ssh-support)

Check if the key is present:

ssh-add -L

If no, try the gpg2 --card-status again. If the card is present you should have the key listed.
It should take some time to list the keys in the agent if the syste is using GPG.

If the key was in the agent before (you lost your card, and you are using your backup card), then you have to remove the cached private key in the ~/.gnupg/private-keys-v1.d directory.
DO NOT REMOVE ALL FILES because if you do, you'll loose all private keys that you have.

You can get the list of all keygrips you would like to remove bu using: gpg2 --list-secret-keys --with-keygrip KEYID.

Then you can reimport your public key and AFTER you can insert your yubikey and run the gpg2 --card-status. If you keep your Yubikey inserted when you reimport the public key you'll have a "no secret key" issue. (see here)

GPG Agent

Put this into your ~/.profile file:

export GPG_TTY

if [ -S "${HOME}/.gnupg/S.gpg-agent.ssh" ]; then
  export SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh

A good way to restart the agent is:

killall ssh-agent gpg-agent
eval $(gpg-agent --daemon --enable-ssh-support)

List of used GPG keys for SSH

You can find the list of your key's keygrip into ~/.gnupg/sshcontrol.

In this file you'll find all the keygrips.
If at one moment you need to use a GPG key for SSH without smartcard, you need to add the keygrip into this file.

To find the keygrip of your key (you need to have an authentication subkey A) use the following:

gpg2 --with-keygrip -k

Then find you'll be able to find the keygrip of your A subkey.

Change card (use backup card)

Insert the backup key and run:

gpg-connect-agent "scd serialno" "learn --force" /bye



Copy link

antifob commented May 15, 2017

Using fetch to import the private key somewhat implies that it is publicly available.

Copy link

@uqam-fob No. Using fetch implies that you retrieve the public key if it doesn't exist on the machine, or not if it exists already, and it links the card to the public key. That's all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment