···11+---
22+title: How to Store an SSH Key on a Yubikey
33+date: 2022-05-27
44+series: howto
55+tags:
66+ - yubikey
77+ - security
88+---
99+1010+SSH keys suck. They are a file on the disk and you can easily move it to other
1111+machines instead of storing them in hardware where they can't be exfiltrated.
1212+Using a password to encrypt the private key is a viable option, but the UX for
1313+that is hot garbage. It's allegedly the future, so surely we MUST have some way
1414+to make this all better, right?
1515+1616+<xeblog-conv name="Numa" mood="delet">\>implying there is a way to make anything
1717+security related better</xeblog-conv>
1818+1919+Luckily, there is actually something we can do for this! As of [OpenSSH
2020+8.2](https://www.openssh.com/releasenotes.html#8.2) (Feburary 14, 2020) you are
2121+able to store an SSH private key on a yubikey! Here's how to do it.
2222+2323+<xeblog-conv name="Mara" mood="hacker">This should work on other FIDO keys like
2424+Google's Titan, but we don't have access to one over here and as such haven't
2525+tested it. Your mileage may vary. We are told that it works with the Google
2626+Titan key that is handed out to Go contributors.</xeblog-conv>
2727+2828+First install `yubikey-manager` (see
2929+[here](https://www.yubico.com/support/download/yubikey-manager/) for more
3030+information, or run `nix-shell -p yubikey-manager` to run it without installing
3131+it on NixOS), plug in your yubikey and run `ykman list`:
3232+3333+```console
3434+$ ykman list
3535+YubiKey 5C NFC (5.4.3) [OTP+FIDO+CCID] Serial: 4206942069
3636+```
3737+3838+If you haven't set a PIN for the yubikey yet, follow
3939+[this](https://docs.yubico.com/software/yubikey/tools/ykman/FIDO_Commands.html#ykman-fido-access-change-pin-options)
4040+to set a PIN of your choice. Once you do this, you can generate a new SSH key
4141+with the following command:
4242+4343+```
4444+ssh-keygen -t ed25519-sk -O resident
4545+```
4646+4747+<xeblog-conv name="Mara" mood="hacker">If that fails, try `ecdsa-sk`
4848+instead! Some hardware keys may not support storing the key on the key
4949+itself.</xeblog-conv>
5050+5151+Then enter in a super secret password (such as the Tongues you received as a kid
5252+when you were forced into learning the bible against your will) twice and then
5353+add that key to your agent with `ssh-add -K`. Then you can list your keys with
5454+`ssh-add -L`:
5555+5656+```console
5757+$ ssh-add -L
5858+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKgGePSwpBuHUhrFCRLch9Usqi7L0fKtgTRnh6F/R+ruAAAABHNzaDo= cadey@shachi
5959+```
6060+6161+Then you can copy this public key to GitHub or whatever and authenticate as
6262+normal. The private key is stored on your yubikey directly and you can add it
6363+with `ssh-add -K`. You can delete the ssh key stub at `~/.ssh/id_ed25519_sk` and
6464+then your yubikey will be the only thing holding that key.