Is --export-ssh-key functionality possible with GnuPG 2.0?

Stephan Beck stebe at
Thu Nov 24 17:51:00 CET 2016

Hi Teemu,

Teemu Likonen:
> Keys with authentication capability can be used with ssh, and GnuPG
> 2.1's command --export-ssh-key will export the ssh public key. Right?

Yes, --export-ssh-key has been introduced in gpg with release of version
To set the whole thing up, a few more steps are necessary
(--enable-ssh-support in gpg.conf still is necessary AFAIK, but this is
the "new" export command.
> Unfortunately I have GnuPG 2.0.26 (as packaged in Debian 8). Can it be
> told to export ssh public keys?

Yes, but it's a bit more laborious in comparison to gpg >= 2.1.11

A) You do not use a smart card --> B) you use a smart card
A1) Install the monkeysphere package (1) that includes openpgp2ssh tool
A2) Export the secret subkey you'd like to use for ssh authentication
purposes and pipe it through openpgp2ssh
gpg2 --export-secret-subkeys \
  --export-options export-reset-subkey-passwd [keyID!] | \
  openpgp2ssh [keyID] > gpg-auth-keyfile

A3) Set correct permissions

chmod 0600 gpg-auth-keyfile

A4) Add the key to the agent
ssh-add gpg-auth-key-file

A4) Check that the key effectively is loaded

ssh-add -l

A5) Extract the *public* key for use in the ~/.ssh/authorized_keys file

ssh-add -L


gpgkey2ssh [keyID]

B) You use a smart card and have it inserted

Transfer your secret authentication subkey to the smart card by typing first

B1) gpg2 --edit-key [keyID]

Toggle and select the correct subkey

B2) gpg> toggle

B3) key [N]
N depends on the number of subkeys and describes the position of the key
in the listing

B4) Transfer the authentication subkey to the card

gpg> keytocard

Select the correct slot of the card for the auth subkey to be stored
Usually, it's "3"

B5) Enter passphrase

B6) Enter your card ADMIN PIN

B7) gpg> save



List member Damien Goute-Gattat has an excellent write-up to be found at:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161124/f32422b9/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161124/f32422b9/attachment-0001.sig>

More information about the Gnupg-users mailing list