SSH with GPG
In This blog we are going to use gpg subkey instead of ssh key
Many of us are familiar with Secure Shell aka SSH, which allow us to connect to other systems using a key instead of a password. This guide will explain how to eliminate SSH keys and use a GNU Privacy Guard aka GPG.
Using GPG does not make your SSH connection more secure. SSH is a secure protocol, and SSH keys are secure. Instead, it makes certain forms of key distribution and backup management easier. it also will not change your workflow for using SSH. All commands will continue to work as you expect, expect that you will no longer have SSH private key and you will unlock with GPG key instead.
By having SSH authenticated by your GPG key, you will reduce the number of key files you need to secure and back up. This means that your key management hygiene still has to be good, which means choosing good passphrases and using appropriate key preservation strategies. Remember, you shouldn’t back your private key up to the cloud!
What is GPG subkeys?
A GPG key is actually a collection of keys. There is one primary key, which is typically used only for certification. The suggested usage of GPG is create a subkey for encryption.
Create an authentication subkey
You should already have a GPG key. if you don’t, create one. You will create the subkey by editing your existing key. You need to edit your key in expert mode to get access to the appropriate options.
The Workflow adds a new key where you can choose its capabilities specifically, you want toggle all option expect authentication.
$ gpg --expert --edit-key <KEY ID>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 8
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Your selection? e
Your selection? a
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (4096)
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
sec rsa2048/8715AF32191DB135
created: 2019-03-21 expires: 2021-03-20 usage: SC
trust: ultimate validity: ultimate
ssb rsa2048/150F16909B9AA603
created: 2019-03-21 expires: 2021-03-20 usage: E
ssb rsa2048/17E7403F18CB1123
created: 2019-03-21 expires: never usage: A
[ultimate] (1). Mohamed Naina
gpg> quit
Save changes? (y/N) y
Enable SSH on GPG agent
To enable SSH on gpg agent, run the following command
killall -9 gpg-agent && gpg-agent --enable-ssh-support --daemon \
--sh --write-env-file=$HOME/.gpg-agent-info
then run ssh-add -L
to get ssh public key. copy it, append on your server ~/.ssh/authorized_keys
Congratulations!
You have now enabled SSH access using a GPG key for authentication! SSH will continue to work as expected, and the machines you are connecting to won’t need any configuration changes. You’ve reduced the number of key files you need to manage and securely back up while simultaneously enabling the opportunity to take part in different forms of key distribution. Stay safe and practice good key hygiene!