ED25519 SSH! Key on Nitrokey Start


#1

I just chatted a bit with Jan (there is #nitrokey:matrix.org) and my basic idea was to put a normal SSH key on the Nitrokey Start next to a GPG key.

GPG Key:
main: rsa4096 [SC]
sub: rsa4096[E]

SSH Key:
ed25519 (with ssh-keygen -t ed25519), probably [A]?

Putting the GPG Key on the Nitrokey Start is easy, but the normal SSH Key which is by default in ~/.ssh/id_ed25519 is not. Has anyone already tried to do this? We do NOT want a subkey for [A] in the GPG keyring!


#2

Generating key: https://dokuwiki.nausch.org/doku.php/fedora:nitrokey:start#ed25519-schluessel_generieren

Using SSH: https://dokuwiki.nausch.org/doku.php/fedora:nitrokey:start#nitrokey_start_und_secure_shell


#3

In this case you generate the key on the Nitrokey. Is it possible to add
an already existing ed25519 key (which is NOT bound to any gpg agent or
something similar) to the Nitrokey?


#4

Hi,

what you want to achieve is technically possible (the internal OpenPGP Card can import raw key meterial), but there is no software that would support this yet. The difficulty is to make a SSH key, which is simple key material, into something that has the meta information which is normally stored in a complete OpenPGP key.

Unless you don’t plan to implement specific software yourself, you are currently not able to achieve what you try to do.

Kind regards
Alex


#5

EDT: Sorry, only now I noted the We do NOT want a subkey for [A] in the GPG keyring!. Just ignore my post.

By default, a gpg “certificate” is made of 1 master key pair and 1 subkey pair. The master one is used to [S]ign and do symmetric en[C]ription. The subkey one is used for asymmetric [E]ncryption. BUT you can create a 2nd subkey pair and set them to [A]uthentication role. I just use that way (only software, I don’t have a NK). In that case, you need to disable ssh-agent and use only gpg-agent.

$ gpg -k julio
pub   rsa4096 2016-12-05 [SC] [expires: 2026-12-03]
      3A7F57C9A4965E0890AF50B5C4D5D606354C79A9
uid           [ultimate] Júlio Mendes de Albuquerque Maranhão <julio.maranhao@gmail.com>
uid           [ultimate] Júlio Mendes de Albuquerque Maranhão <julio@maranhao.xyz>
sub   rsa4096 2016-12-05 [E] [expires: 2026-12-03]
sub   ed25519 2018-09-06 [A] [expires: 2020-02-28]

You just need patience to read and understand the tutorials from the internet. This is my .bashrc (cygwin):

unset SSH_AGENT_PID
export GPG_TTY=$(tty)
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
gpg-connect-agent /bye

Your config may need to be different.

It was cumbersome[*] to import an ssh key to gpg as a subkey. I recommend to generate a new subkey and set it to [A] role (I did). And remember to change sshcontrol file (~/.gnupg/sshcontrol) to include the new subkey keygrip (read the manual, pretty easy).

Good luck.

[*]There is no tool to make this import but if you are willing to program them you can generate a new gpg certificate (software and with A subkey), export it as PEM private block, decode/hack it in python, for instance, change the subkey material and regenerate the PEM file. Just an idea for anyone willing to do this.


#6

From what I’m reading you do not want a subkey. It’s of course possible to generate a PGP key from raw material (there are some projects that do this, and I am working on finalizing just one such library in C++ myself). The problem is that to be able to use it I guess you still need to import this key into your keyring for the nitrokey to handle the requests.

Is the issue that you want to import a specific key onto the nitrokey for authentication (say, because it’s already trusted everywhere), or is it something else?


#7

It is just about using the SSH key which already exists. Importing it to
the keyring would not be an issue. If this tool is ready, can you please
share it?