Keybase To OpenPGP To OpenSSH
My laptop’s hard disk crashed last week. This is a one year old machine and I never expected the hard drive to go bust so soon. I know that this is my fault because I did hard shutdown my laptop everyday at least 4 times for the last few weeks. Reason? because Kubuntu 15.10 would throw a black screen everytime I tried to boot up and would freeze and only worked after restarting at least 3-4 times. I tried to fix it but couldn’t. Then again, to avoid this from happening I avoided shutting down the laptop and when the hard disk crashed, it was up for ~4-5 days. Other than this, sleep never worked for me on Linux. I like using Linux. I have jumped between various distros and Kubuntu seemed to be almost perfect except for that massively annoying issue. I hate to admit it but Windows is still years ahead of Linux on desktop. This is not the year of Linux on desktop yet. Anyway, I installed Kubuntu 15.10 again on the new hard disk (dem feels) and luckily this time that issue is not there.
My ssh keys were also gone. I did have my OpenPGP keys backed up at keybase.io though. OpenPGP keys can be converted to OpenSSH keys. I might just maintain my OpenPGP keys and generate my OpenSSH keys from that in the future. I found some information on how to do this but it is scattered at many places and I had to do some hit and trial to make it work. I am documenting it here for anyone looking for the same and for myself as well. This guide assumes that you have GPG and OpenSSH client installed.
Steps
Go to your keybase.io id and click on the edit button next to the public key fingerprint and select ‘Export my private key from Keybase’.
This will prompt you for your key’s password and upon verification will show the OpenPGP private key. Copy the key and save it as private.key.
Then you need to import the key to OpenPGP using GnuPG (GPG). Do it like this (Note: this is double hyphen in –allow…..):
gpg --allow-secret-key-import --import private.key
Now verify that it worked with this:
gpg --list-secret-keys
Now we need to generate OpenSSH keys from this. For this we will use a tool called openpgp2ssh that is included in the Monkeysphere framework.
cd /tmp && wget http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.36.orig.tar.gz
tar -xvzf monkeysphere_0.36.orig.tar.gz
cd monkeysphere-0.36/src
chmod +x openpgp2ssh
Now we need to install some dependencies.
sudo apt-get update
sudo apt-get install make perl libssl-dev
sudo cpan YAML
sudo cpan Crypt::OpenSSL::Bignum
sudo cpan Crypt::OpenSSL::RSA
openpgp2ssh is now ready to work but this tool does not work with encrypted keys so we need to remove the password first.
gpg --list-secret-keys
This will show you the id of your key. If you see something like sec 4096R/04A10DF9 ....... copy the part after 4096R/. That is your key. Here I am using my key id. Replace the occurence of 04A10DF9 in the following commands with your key id.
gpg --edit-key 04A10DF9
gpg shell opens… now use the command passwd and it will ask for your key’s password. After verification it will ask for the new password, leave this one blank. Then it will ask ‘if you really want to do this’, press ‘y’. Now use the save command to save the changes and exit the shell.
Make sure you have the ~/.ssh directory or else generate now.
mkdir ~/.ssh/
Now we do the conversion:
gpg --export 04A10DF9 | ./openpgp2ssh 04A10DF9 > ~/.ssh/id_rsa.pub
gpg --export-secret-key 04A10DF9 | ./openpgp2ssh 04A10DF9 > ~/.ssh/id_rsa
We have successfully exported the OpenSSH keys. Now we modify the permissions for our OpenSSH private key.
chmod 0600 ~/.ssh/id_rsa
We need to setup a password for our OpenSSH private key. Note: This password may not be the same as the password your OpenPGP key.
ssh-keygen -f ~/.ssh/id_rsa -p
This will ask for a new passphrase. Enter the new passphrase and re-enter when asked again. Now we need to delete our unprotected OpenPGP key (remember we removed the password).
gpg --delete-secret-key 04A10DF9
Now cd to the directory where we had stored our private.key imported from Keybase and reimport it into GPG.
gpg --allow-secret-key-import --import private.key
Delete the private.key file now.
rm private.key
And the process is complete! This looks pretty hectic but I think it is worth the pain. You only need to manage your OpenPGP key and that can be done easily with Keybase (don’t forget to back it up though). You may also backup your OpenSSH keys if you don’t want to go through all this again when you need them. But now you know that you are not in trouble if you have lost them :)
