Skip to content

YuibKey GPG SSH

kyau edited this page May 23, 2023 · 3 revisions

This is a collection of miscellaneous information I have collated in order to get my YubiKey working in Windows how I like it.

This assumes drduh's YubiKey Guide was used in order to setup the YubiKey.

Importing Existing YubiKey

With a fresh copy of Windows 11, upon inserting the YubiKey it will automatically work with SSH however GPG will require a bit of fiddling.

Open an MSYS2 terminal window to begin.

Check to see if the card is already recognized:

gpg --card-status
🚧 WARNING
If you receive an error regarding the scdaemon version you will need to kill the current gpg-agent and try again.

Initialize the trust database.

gpg --list-keys

Import your public key either from a file or from the internet (keyserver).

gpg --import public.asc

or

gpg --recv 0x1F125B5425110CCE

You should see something similar to the following upon importing the key:

gpg: key 0x1F125B5425110CCE: public key "kyau <kyau@kyau.net>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Edit the local trust database to ultimately trust your key.

gpg --edit-key 0x1F125B5425110CCE

gpg> trust

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

gpg> quit

Testing GPG

Once you have ultimately trusted your gpg key you can do a test encryption.

echo "test message, hello future self!" | gpg --encrypt --armor --recipient 0x1F125B5425110CCE -o encrypted.txt

One can verify it was encrypted by viewing the file:

cat encrypted.txt

Proceed to the decryption test:

gpg --decrypt --armor encrypted.txt

If you receive an message saying to enter the key with a different serial number, that means the current key is the backup or secondary YubiKey. This is fine you will just have to force gpg to use the current serial number for all functions instead of the primary. If you ever switch back to the primary key just use this command again.

gpg-connect-agent "scd serialno" "learn --force" /bye

Run the decryption command again to finally get a successful decryption.

SSH w/ Forwarding

Check to make sure the ssh-agent is picking up the key from your YubiKey with the following:

ssh-add -L

Open up the file ~/.ssh/config in an editor and add the following at the bottom:

Host *.kyaulabs *.kyaulabs.com
    Port 4222
    ForwardAgent yes
    StreamLocalBindUnlink yes
    RemoteForward /home/kyau/.gnupg/S.gpg-agent /c/Users/Kyau/.gnupg/S.gpg-agent.extra

Now provided AllowAgentForwarding and StreamLocalBindUnlink is set to yes in the remote machines /etc/ssh/sshd_config then forwarding for GPG and SSH should now be working for all hosts listed in the above filter (edit to your liking).

To verify SSH to a machine included in the above filter then execute the following commands:

gpg --list-keys
ssh-add -L

If you still have issues with GPG not forwarding correctly, connect to the remote machine and kill any currently running gpg-agent and then wipe all existing sockets.

killall gpg-agent
rm ~/.gnupg/S.*
Clone this wiki locally