Skip to content

Instantly share code, notes, and snippets.

@mdwheele

mdwheele/gpg-ssh-yubikey.md

Last active September 7, 2021 16:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mdwheele/8110436e9d8593e4307c041c85a126cf to your computer and use it in GitHub Desktop.
Save mdwheele/8110436e9d8593e4307c041c85a126cf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gpg-ssh-yubikey.md

🔥 This is a work in progress moving a bunch of notes to one place so I don't have to do this from memory ever again...

Versions Tested

# Local (MacOS Catalina)
gpg (GnuPG) 2.2.30 
OpenSSH_8.1p1, LibreSSL 2.7.3

# Remote (Ubuntu 20.04 LTS)
gpg (GnuPG) 2.2.19 
OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020

Prerequisites

  1. Install GPG.

    For MacOS

    brew install gnupg@2.2 pinentry-mac
brew link gnupg@2.2

    For Ubuntu 20.04 LTS

    apt-get update
apt-get install gnupg

Configure GPG (local)

  1. Add use-agent to `~/.gnupg/gpg.conf:

    echo "use-agent" > ~/.gnupg/gpg.conf

  2. Add the following to ~/.gnupg/gpg-agent.conf:

    allow-loopback-pinentry
enable-ssh-support
default-cache-ttl 14400
max-cache-ttl 86400
pinentry-program /usr/local/bin/pinentry-mac

  3. Configure gpg-agent to start on login by adding the following to ~/.bash_profile:

    [ -f ~/.gpg-agent-info ] && source ~/.gpg-agent-info
if [ -S "${GPG_AGENT_INFO%%:*}" ]; then
   export GPG_AGENT_INFO
else
   eval $( gpg-agent --daemon --write-env-file ~/.gpg-agent-info )
fi

  4. Kill any running agents:

    sudo killall gpg-agent

  5. Restart terminal to reload ~/.bash_profile and start the gpg-agent

Configure GPG (remote)

  1. Add the following to `~/.gnupg/gpg.conf:

    use-agent
default-key {PUBLIC_KEY}

  2. Initialize GPG

    gpg --list-keys

Export public key from local machine to remote machine

On the local machine, run the following:

gpg --export -a {PUBLIC_KEY} | ssh {REMOTE_HOST} 'gpg --import -'

Fetch your USERNAME and REMOTE_UID

On the remote machine, run the following:

whoami
id -u

This will return your USERNAME and REMOTE_UID for future use.

Configure SSH (local)

  1. Add the following to ~/.ssh/config (replace text marked {...} with your own values):

    Host {REMOTE_HOST}
    HostName {REMOTE_HOST}
    ForwardAgent yes
    User {USERNAME}
    RemoteForward /run/user/{REMOTE_UID}/gnupg/S.gpg-agent /Users/{USERNAME}/.gnupg/S.gpg-agent

Configure SSH (remote)

  1. Add the following to /etc/ssh/sshd_config:

    StreamLocalBindUnlink yes

  2. Restart sshd:

    systemctl restart sshd

Verification

  1. SSH to the remote host and verify that:

    • The public keyring is imported and located at ~/.gnupg/pubring.kbx
    • The S.gpg-agent socket is located at ~/.gnupg/S.gpg-agent

  2. Verify output of gpg --card-status:

    $ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID
<snip>

  3. Encrypt a file on the local machine, copy it to the remote, and attempt to decrypt on the remote:

    $ echo "yubikey" | gpg --encrypt -r dustin.wheeler@nutanix.com > secret.enc

$ scp secret.enc dev.vm:~

$ ssh dev.vm 'gpg --decrypt secret.enc'
yubikey
gpg: encrypted with 4096-bit RSA key, ID B7C85D2A5FBBAC05, created 2020-01-13
      "Dustin Wheeler <dustin.wheeler@nutanix.com>"
@mdwheele
Copy link
Author

mdwheele commented Sep 7, 2021
edited

Will be incorporating the following into instructions above:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment