Last active
July 13, 2025 19:28
-
-
Save lattice0/d80de5bebb46f6afc307c4f00ee547f0 to your computer and use it in GitHub Desktop.
yubikey SSH simple guide for SSH resident keys
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # To generate: | |
| ``` | |
| ssh-keygen -t ed25519-sk -O resident -O verify-required -C "0000000" -O application=ssh:0000000 -f $HOME/.ssh/id_ed25519_sk_000000 | |
| ``` | |
| The `-O application=ssh:0000000` ensures that it will import and save with that name when you run `ssh-keygen -K`, preventing overrides. | |
| And if you move computers, in the new one just run | |
| ``` | |
| ssh-keygen -K | |
| ``` | |
| which will load the secret key ID (not the actual secret key) from the yubikey and place on the .ssh folder. | |
| # To use: | |
| ``` | |
| sudo apt install -y gnupg2 gnupg-agent scdaemon pcscd yubikey-manager | |
| ``` | |
| ``` | |
| gpg --card-status | |
| ``` | |
| Add this to your shell profile (~/.bashrc, ~/.zshrc, etc.): | |
| ``` | |
| export GPG_TTY=$(tty) | |
| export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) | |
| gpgconf --launch gpg-agent | |
| ``` | |
| Then reload your shell or run: | |
| ``` | |
| source ~/.bashrc # or ~/.zshrc | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment