Security · July 27, 2021 · 2 min read

Secure SSH Keys using FIDO2/U2F Security Keys

How to use ed25519-sk keys for 2FA SSH authentication. No more GPG hacks. Works with any FIDO2/U2F compatible security key.

SSHFIDO2U2FYubiKey2FA

GPG for SSH is not ideal

Traditionally we had to use GPG to use SSH with our security keys like Yubikeys, which while it worked somewhat, severely limited the number of keys we could use — forcing us to use the same SSH key on multiple systems. GPG also required additional configuration on the client side, making it not ideal if you wanted ease of use and compatibility or use the built-in ssh-agent.

Benefits over using GPG

Since SSH 8.2, native support for FIDO/U2F keys was added, making this previously cumbersome process very simple and much more secure.

Generate Your New Keys

SSH keys with the suffix -sk use FIDO/U2F Devices like Yubikeys to act as a second factor. We’ll be generating ed25519-sk keys based on the ed25519 Elliptic Curve Algorithm.

First, check your SSH version (should be 8.2 or newer):

ssh -V

Insert your security key and generate a new pair:

ssh-keygen -t ed25519-sk -f <Keyfile location>

Follow the onscreen instructions, enter your security key PIN, and optionally set a password for your new SSH key for even tighter security. You may need to touch your key as well after entering the PIN.

Your new 2FA keys are ready for use. These keys work the same way as any other SSH key — but now every time you use them you’ll be prompted for your security key as the second factor.

Deploy to Your Server

Simply add the public part of your key (ending with .pub) to the user’s authorized_keys file in $HOME/.ssh/ on the server.

Note: The server’s sshd binary must also be at least version 8.2 for these keys to work.

← All posts
Category: Security