[email protected]:~$

Keybase To OpenPGP To OpenSSH

My laptop’s hard disk crashed last week. This is a one year old machine and I never expected the hard drive to go bust so soon. I know that this is my fault because I did hard shutdown my laptop everyday at least 4 times for the last few weeks. Reason? because Kubuntu 15.10 would throw a black screen everytime I tried to boot up and would freeze and only worked after restarting at least 3-4 times. I tried to fix it but couldn’t. Then again, to avoid this from happening I avoided shutting down the laptop and when the hard disk crashed, it was up for ~4-5 days. Other than this, sleep never worked for me on Linux. I like using Linux. I have jumped between various distros and Kubuntu seemed to be almost perfect except for that massively annoying issue. I hate to admit it but Windows is still years ahead of Linux on desktop. This is not the year of Linux on desktop yet. Anyway, I still installed Kubuntu 15.10 again on the new hard disk (dem feels) and luckily this time that issue is not there; most probably because I haven’t installed my graphics card drivers yet, and I won’t. I am keeping this system vanilla and will install all software in Docker only from now onwards.

As the hard disk crashed, my ssh keys were also gone. I was under the impression that I had backed them up somewhere but couldn’t find them during skyfall. It is a crime that requires 100 lashes, I know. But I did have my OpenPGP keys backed up at keybase.io. OpenPGP keys can be converted to OpenSSH keys. To avoid getting into such situation again, I have decided that I’ll only maintain my OpenPGP keys and generate my OpenSSH keys from that. I found some information on how to do this but it is scattered at many places and I had to do some hit and trial to make it work. I am documenting it here for anyone looking for the same and for myself as well. This guide assumes that you have GPG and OpenSSH client installed.

Steps

Go to your keybase.io id and click on the edit button next to the public key fingerprint and select ‘Export my private key from Keybase’.

Export your private key

This will prompt you for your key’s password and upon verification will show the OpenPGP private key. Copy the key and save it as private.key.

Then you need to import the key to OpenPGP using GnuPG (GPG). Do it like this (Note: this is double hyphen in –allow…..):

gpg --allow-secret-key-import --import private.key

Now verify that it worked with this:

gpg --list-secret-keys

Now we need to generate OpenSSH keys from this. For this we will use a tool called openpgp2ssh that is included in the Monkeysphere framework.

cd /tmp && wget http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.36.orig.tar.gz

tar -xvzf monkeysphere_0.36.orig.tar.gz

cd monkeysphere-0.36/src

chmod +x openpgp2ssh

Now we need to install some dependencies.

sudo apt-get update

sudo apt-get install make perl libssl-dev

sudo cpan YAML

sudo cpan Crypt::OpenSSL::Bignum

sudo cpan Crypt::OpenSSL::RSA

openpgp2ssh is now ready to work but this tool does not work with encrypted keys so we need to remove the password first.

gpg --list-secret-keys

This will show you the id of your key. If you see something like sec 4096R/04A10DF9 ....... copy the part after 4096R/. That is your key. Here I am using my key id. Replace the occurence of 04A10DF9 in the following commands with your key id.

gpg --edit-key 04A10DF9

gpg shell opens… now use the command passwd and it will ask for your key’s password. After verification it will ask for the new password, leave this one blank. Then it will ask ‘if you really want to do this’, press ‘y’. Now use the save command to save the changes and exit the shell.

Make sure you have the ~/.ssh directory or else generate now.

mkdir ~/.ssh/

Now we do the conversion:

gpg --export 04A10DF9 | ./openpgp2ssh 04A10DF9 > ~/.ssh/id_rsa.pub

gpg --export-secret-key 04A10DF9 | ./openpgp2ssh 04A10DF9 > ~/.ssh/id_rsa

We have successfully exported the OpenSSH keys. Now we modify the permissions for our OpenSSH private key.

chmod 0600 ~/.ssh/id_rsa

We need to setup a password for our OpenSSH private key. Note: This password may not be the same as the password your OpenPGP key.

ssh-keygen -f ~/.ssh/id_rsa -p

This will ask for a new passphrase. Enter the new passphrase and re-enter when asked again. Now we need to delete our unprotected OpenPGP key (remember we removed the password).

gpg --delete-secret-key 04A10DF9

Now cd to the directory where we had stored our private.key imported from Keybase and reimport it into GPG.

gpg --allow-secret-key-import --import private.key

Delete the private.key file now.

rm private.key

And the process is complete! This looks pretty hectic but I think it is worth the pain. You only need to manage your OpenPGP key and that can be done easily with Keybase (don’t forget to back it up though). You may also backup your OpenSSH keys if you don’t want to go through all this again when you need them. But now you know that you are not in trouble if you have lost them :)