DEV Community

Cover image for Yubikey meets an EC2 instance
Libert S
Libert S

Posted on

Yubikey meets an EC2 instance

I recently got a Yubikey to lock some of my most critical accounts. In the process, I discovered that the yubikey also supports OpenPGP with the capabilities of Sign, Encrypt and Authenticate!.

This is a game-changer in terms of security since I no longer need to have my private RSA keys in my computer (hot environment because it touches the internet).

The process of how to generate the OpenPGP keys and burn them in the yubikey is well explained here:

https://youtube.com/playlist?list=PLmoQ11MXEmahVl_uJVH0-a3XJtMV59PBu

The EC2 way

When we launch a new EC2 instance we have to choose a pem file (private key) to SSH.

ssh -i keypair.pem ubuntu@ec2-*********.com
Enter fullscreen mode Exit fullscreen mode

What I used to do is to load the pem key into my ssh-agent to ssh to the instance without providing the key as a parameter.

ssh-add keypair.pem
ssh ubuntu@ec2-*********.com
Enter fullscreen mode Exit fullscreen mode

EC2 + Yubikey

Assuming that your private key is already in the yubikey all you have to do is to plug the device into your computer and update the ssh-agent socket to communicate with pgp agent socket.

After doing that your ssh-agent will use OpenPGP.

SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
Enter fullscreen mode Exit fullscreen mode

Now Copy your public pgp key to the EC2 instance.

ssh-add 
ssh-copy-id ubuntu@ec2-*********.com
Enter fullscreen mode Exit fullscreen mode

Now everything is in place to SSH into your ec2 instance with your yubikey.

ssh ubuntu@ec2-*********.com

**waits for confirmation in the yubikey**

ubuntu@ec2-local:/home/ubuntu 
Enter fullscreen mode Exit fullscreen mode

Summary

And you are connected!.
Using this method removes the need to use the pem file provided by AWS. You can also use the same method for other servers Just copy your public key and you yubikey is your Authenticator.

Top comments (0)