ED25519 SSH! Key on Nitrokey Start

I just chatted a bit with Jan (there is #nitrokey:matrix.org) and my basic idea was to put a normal SSH key on the Nitrokey Start next to a GPG key.

GPG Key:
main: rsa4096 [SC]
sub: rsa4096[E]

SSH Key:
ed25519 (with ssh-keygen -t ed25519), probably [A]?

Putting the GPG Key on the Nitrokey Start is easy, but the normal SSH Key which is by default in ~/.ssh/id_ed25519 is not. Has anyone already tried to do this? We do NOT want a subkey for [A] in the GPG keyring!

Generating key: https://dokuwiki.nausch.org/doku.php/fedora:nitrokey:start#ed25519-schluessel_generieren

Using SSH: https://dokuwiki.nausch.org/doku.php/fedora:nitrokey:start#nitrokey_start_und_secure_shell

In this case you generate the key on the Nitrokey. Is it possible to add
an already existing ed25519 key (which is NOT bound to any gpg agent or
something similar) to the Nitrokey?

1 Like


what you want to achieve is technically possible (the internal OpenPGP Card can import raw key meterial), but there is no software that would support this yet. The difficulty is to make a SSH key, which is simple key material, into something that has the meta information which is normally stored in a complete OpenPGP key.

Unless you don’t plan to implement specific software yourself, you are currently not able to achieve what you try to do.

Kind regards

1 Like

EDT: Sorry, only now I noted the We do NOT want a subkey for [A] in the GPG keyring!. Just ignore my post.

By default, a gpg “certificate” is made of 1 master key pair and 1 subkey pair. The master one is used to [S]ign and do symmetric en[C]ription. The subkey one is used for asymmetric [E]ncryption. BUT you can create a 2nd subkey pair and set them to [A]uthentication role. I just use that way (only software, I don’t have a NK). In that case, you need to disable ssh-agent and use only gpg-agent.

$ gpg -k julio
pub   rsa4096 2016-12-05 [SC] [expires: 2026-12-03]
uid           [ultimate] Júlio Mendes de Albuquerque Maranhão <julio.maranhao@gmail.com>
uid           [ultimate] Júlio Mendes de Albuquerque Maranhão <julio@maranhao.xyz>
sub   rsa4096 2016-12-05 [E] [expires: 2026-12-03]
sub   ed25519 2018-09-06 [A] [expires: 2020-02-28]

You just need patience to read and understand the tutorials from the internet. This is my .bashrc (cygwin):

export GPG_TTY=$(tty)
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
gpg-connect-agent /bye

Your config may need to be different.

It was cumbersome[*] to import an ssh key to gpg as a subkey. I recommend to generate a new subkey and set it to [A] role (I did). And remember to change sshcontrol file (~/.gnupg/sshcontrol) to include the new subkey keygrip (read the manual, pretty easy).

Good luck.

[*]There is no tool to make this import but if you are willing to program them you can generate a new gpg certificate (software and with A subkey), export it as PEM private block, decode/hack it in python, for instance, change the subkey material and regenerate the PEM file. Just an idea for anyone willing to do this.

1 Like

From what I’m reading you do not want a subkey. It’s of course possible to generate a PGP key from raw material (there are some projects that do this, and I am working on finalizing just one such library in C++ myself). The problem is that to be able to use it I guess you still need to import this key into your keyring for the nitrokey to handle the requests.

Is the issue that you want to import a specific key onto the nitrokey for authentication (say, because it’s already trusted everywhere), or is it something else?

It is just about using the SSH key which already exists. Importing it to
the keyring would not be an issue. If this tool is ready, can you please
share it?

It’s taken some time, much more than I’d wished, but the library part is now finally in a usable state. If you have access to the raw key material you should be able to create a PGP key using it and import it into your keyring.

The library can be found at https://github.com/summitto/pgp-packet-library

I hope the examples provided there should be enough to get you going, if not, you could open an issue for it there.

1 Like