2024-03-27 18:38:02 +01:00
# pgp2ssh
2024-03-26 14:48:45 +01:00
2024-03-27 17:45:12 +01:00
Derive private ed25519 SSH key from private PGP key.
GPG itself only supports exporting _public_ SSH keys and other tools don't work for ed25519 keys.
2024-03-26 14:48:45 +01:00
##### Notes:
- A tool exists to do this for RSA keys: [openpgp2ssh ](https://manpages.ubuntu.com/manpages/xenial/man1/openpgp2ssh.1.html ) but it does not seem to support `ed25519` keys
- Work on `gnupg` was started for this feature, but never finished see this
issue and commit: https://dev.gnupg.org/T6647
2024-03-27 17:45:12 +01:00
## Instructions
2024-03-25 17:22:47 +01:00
2024-03-27 17:45:12 +01:00
First you need to export your PGP key from GPG:
2024-03-25 17:25:08 +01:00
```sh
2024-03-27 17:45:12 +01:00
❯
2024-03-25 17:22:47 +01:00
```
2024-03-27 17:45:12 +01:00
Then identify the public SSH key that was used to encrypt your secret.
You can search for your GitHub username in: https://fluence-dao.s3.eu-west-1.amazonaws.com/metadata.json
2024-03-25 17:22:47 +01:00
2024-03-27 17:45:12 +01:00
If you have multiple subkeys, usually it is the authenticate key highlighted with `[A]` in the output of:
2024-03-25 17:22:47 +01:00
```sh
2024-03-27 17:45:12 +01:00
❯
2024-03-25 17:22:47 +01:00
```
2024-03-27 17:45:12 +01:00
### Derive private SSH key
2024-03-25 17:22:47 +01:00
```sh
2024-03-27 21:32:12 +01:00
❯
❯
2024-03-25 17:22:47 +01:00
```
2024-03-28 11:04:10 +01:00
**Nix/NixOS Users**
A flake is provided for Nix users. Just use `nix run` instead of building and
running manually.
2024-03-27 17:45:12 +01:00
It'll ask you for the path to your private PGP key, followed by choosing the key/subkey and if your PGP key is encrypted it'll ask for the passphrase.
2024-03-25 17:22:47 +01:00
2024-03-27 17:45:12 +01:00
In the output, verify that the public SSH key printed matches the one in `metadata.json` .
If it matches, the last part of the output it will print the matching private SSH key.
You can save the key to a file and use how you want.
2024-03-26 14:48:45 +01:00
2024-03-27 17:45:12 +01:00
### Example: Decrypt age files
2024-03-25 17:22:47 +01:00
2024-03-27 17:45:12 +01:00
If you want to decrypt a file that was encryptd by `age` with your public SSH key, you can just use `age` as normal to decrypt the file using the SSH private key that we've got in the previous step:
```sh
❯
2024-03-27 18:20:24 +01:00
```
2024-04-02 11:28:37 +02:00
## Troubleshooting
If the conversion fails with the error:
```
2024/03/27 22:09:09 openpgp: invalid data: user ID signature with wrong type
```
You might be missing the private key of your subkeys. When running `gpg -K` you
should **NOT** see a `>` infront of the keys like this:
```
ssb> ed25519/0xB68746238E59B548 2018-07-09 [S] [expires: 2026-01-02]
Keygrip = C89E5AABCBF7142DBC26E68FB3121DE12DCBF4FF
ssb> cv25519/0x65CD5E0200C56C17 2018-07-09 [E] [expires: 2026-01-02]
Keygrip = 867EA9F6ADBEBE18ED98253B884F53CBD53C526B
ssb> ed25519/0xF36CF32DF9B09855 2018-07-09 [A] [expires: 2026-01-02]
Keygrip = 553D56865642B05AB3C5B62DC68795691702B960
```
The `>` (corner of a card) indicates, that the private part is on a smart card
or not available. This may also be caused by expired keys. For possible
solutions see https://github.com/pinpox/pgp2ssh/issues/6
2024-03-27 18:20:24 +01:00
### Support & Donations
This project was built with lots of headaches by [pinpox ](https://github.com/pinpox/ ) & [felschr ](https://github.com/felschr/ ). If you need help, feel free to contact us.
And if you want to thank us, you can send us any crypto or token to our Ethereum / Polygon wallets 😊:
2024-06-01 13:19:56 +02:00
pinpox: `0xde031f16976AFcaC613087B6213Eb521F63d3A49`
2024-03-27 18:38:02 +01:00
felschr: `0xD66753D737603E18018281E298Df86DE402d313E`
2024-04-02 11:28:37 +02:00
< a href = "https://www.buymeacoffee.com/pinpox" > < img src = "https://img.buymeacoffee.com/button-api/?text=Buy me a coffee&emoji=😎&slug=pinpox&button_colour=82aaff&font_colour=000000&font_family=Inter&outline_colour=000000&coffee_colour=FFDD00" > < / a >
