pgp2ssh/README.md

# pgp2ssh

Derive private ed25519 SSH key from private PGP key.

GPG itself only supports exporting _public_ SSH keys and other tools don't work for ed25519 keys.

##### Notes:

- A tool exists to do this for RSA keys: [openpgp2ssh](https://manpages.ubuntu.com/manpages/xenial/man1/openpgp2ssh.1.html) but it does not seem to support `ed25519` keys
- Work on `gnupg` was started for this feature, but never finished see this
  issue and commit: https://dev.gnupg.org/T6647

## Instructions

First you need to export your PGP key from GPG:

```sh
❯ gpg2 --export-secret-keys --armor test@test.test >priv-gpg
```

Then identify the public SSH key that was used to encrypt your secret.
You can search for your GitHub username in: https://fluence-dao.s3.eu-west-1.amazonaws.com/metadata.json

If you have multiple subkeys, usually it is the authenticate key highlighted with `[A]` in the output of:

```sh
❯ gpg --list-secret-keys --with-keygrip
```

### Derive private SSH key

```sh
❯ go build
❯ ./pgp2ssh
```

**Nix/NixOS Users**

A flake is provided for Nix users. Just use `nix run` instead of building and
running manually.

It'll ask you for the path to your private PGP key, followed by choosing the key/subkey and if your PGP key is encrypted it'll ask for the passphrase.

In the output, verify that the public SSH key printed matches the one in `metadata.json`.
If it matches, the last part of the output it will print the matching private SSH key.
You can save the key to a file and use how you want.

### Example: Decrypt age files

If you want to decrypt a file that was encryptd by `age` with your public SSH key, you can just use `age` as normal to decrypt the file using the SSH private key that we've got in the previous step:

```sh
❯ age --decrypt --identity ./ssh-secret-key --output decrypted ./testfile.txt.age
```

### Support & Donations

This project was built with lots of headaches by [pinpox](https://github.com/pinpox/) & [felschr](https://github.com/felschr/). If you need help, feel free to contact us.

And if you want to thank us, you can send us any crypto or token to our Ethereum / Polygon wallets 😊:  
pinpox: `0x3d479e19ae8d1a67becdaeaf8d2d37c8e425bd03`
felschr: `0xD66753D737603E18018281E298Df86DE402d313E`
-												Update README.md
											
										
										
											2024-03-27 18:38:02 +01:00
+								# pgp2ssh
-												update readme

											
										
										
											2024-03-26 14:48:45 +01:00
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								Derive private ed25519 SSH key from private PGP key.
 								GPG itself only supports exporting _public_ SSH keys and other tools don't work for ed25519 keys.
-												update readme

											
										
										
											2024-03-26 14:48:45 +01:00
 								##### Notes:
 								- A tool exists to do this for RSA keys: [openpgp2ssh](https://manpages.ubuntu.com/manpages/xenial/man1/openpgp2ssh.1.html) but it does not seem to support `ed25519` keys
 								- Work on `gnupg` was started for this feature, but never finished see this
 								  issue and commit: https://dev.gnupg.org/T6647
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								## Instructions
-												add test key

											
										
										
											2024-03-25 17:22:47 +01:00
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								First you need to export your PGP key from GPG:
-												Update readme

											
										
										
											2024-03-25 17:25:08 +01:00
 								```sh
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								❯ gpg2 --export-secret-keys --armor test@test.test >priv-gpg
-												add test key

											
										
										
											2024-03-25 17:22:47 +01:00
+								```
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								Then identify the public SSH key that was used to encrypt your secret.
 								You can search for your GitHub username in: https://fluence-dao.s3.eu-west-1.amazonaws.com/metadata.json
-												add test key

											
										
										
											2024-03-25 17:22:47 +01:00
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								If you have multiple subkeys, usually it is the authenticate key highlighted with `[A]` in the output of:
-												add test key

											
										
										
											2024-03-25 17:22:47 +01:00
 								```sh
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								❯ gpg --list-secret-keys --with-keygrip
-												add test key

											
										
										
											2024-03-25 17:22:47 +01:00
+								```
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								### Derive private SSH key
-												add test key

											
										
										
											2024-03-25 17:22:47 +01:00
+								```sh
-												Update module name

											
										
										
											2024-03-27 21:32:12 +01:00
+								❯ go build
 								❯ ./pgp2ssh
-												add test key

											
										
										
											2024-03-25 17:22:47 +01:00
+								```
-												Add flake

											
										
										
											2024-03-28 11:04:10 +01:00
+								**Nix/NixOS Users**
 								A flake is provided for Nix users. Just use `nix run` instead of building and
 								running manually.
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								It'll ask you for the path to your private PGP key, followed by choosing the key/subkey and if your PGP key is encrypted it'll ask for the passphrase.
-												add test key

											
										
										
											2024-03-25 17:22:47 +01:00
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								In the output, verify that the public SSH key printed matches the one in `metadata.json`.
 								If it matches, the last part of the output it will print the matching private SSH key.
 								You can save the key to a file and use how you want.
-												update readme

											
										
										
											2024-03-26 14:48:45 +01:00
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								### Example: Decrypt age files
-												add test key

											
										
										
											2024-03-25 17:22:47 +01:00
-												docs(README): update instructions

											
										
										
											2024-03-27 17:45:12 +01:00
+								If you want to decrypt a file that was encryptd by `age` with your public SSH key, you can just use `age` as normal to decrypt the file using the SSH private key that we've got in the previous step:
 								```sh
 								❯ age --decrypt --identity ./ssh-secret-key --output decrypted ./testfile.txt.age
-												docs(README): add support & donations section

											
										
										
											2024-03-27 18:20:24 +01:00
+								```
 								### Support & Donations
 								This project was built with lots of headaches by [pinpox](https://github.com/pinpox/) & [felschr](https://github.com/felschr/). If you need help, feel free to contact us.
 								And if you want to thank us, you can send us any crypto or token to our Ethereum / Polygon wallets 😊:
 								pinpox: `0x3d479e19ae8d1a67becdaeaf8d2d37c8e425bd03`
-												Update README.md
											
										
										
											2024-03-27 18:38:02 +01:00
+								felschr: `0xD66753D737603E18018281E298Df86DE402d313E`