macos-setup
🐱 Source ☕️ Java SampleGo Sample Angular Sample
  • Mac Setup
  • Getting Started
    • Xcode
    • Homebrew
    • System Preferences
    • Essentials
    • Dotfiles
  • Applications
    • Ghostty
    • Sublime-text
    • JetBrains
    • VSCode
    • Xcode
    • Marta
    • Benthos
    • OrbStack
    • Traefik
    • n8n
  • Platforms
    • Java
    • Node
      • Bub
      • NPM
      • PNPM
      • Turborepo
    • GoLang
    • Rust
    • Python
      • Testing
      • Agno AI
  • DevOps
    • Development Workflow
      • Git
        • GitHub CLL
      • GitOps
      • Documentation
      • mkcert
      • YubiKey
    • Monorepo
    • dnsmasq
    • Docker
    • Skaffold
    • Kubernetes
    • Helm
    • Kustomize
    • kustomizer
    • Terraform
    • Security
    • Cloud
      • gcloud
      • azure
      • aws
  • Tips
    • Git
    • MacOS
Powered by GitBook
On this page
  • Prerequisites
  • Install
  • passphrase
  • Static secrets
  • Reference

Was this helpful?

Edit on GitHub
  1. DevOps
  2. Development Workflow

YubiKey

PreviousmkcertNextMonorepo

Last updated 2 years ago

Was this helpful?

Guide to setup for encryption, SSH authentication and signing Git commits.

Store the passphrase of all of your SSH keys securely in iCloud Keychain, from which ssh-agent will read them on startup.

Prerequisites

  • YubiKey 5 key

  • YubiKey Manager

  • YubiKey Personalization Tool

Verify a YubiKey is genuine, open a browser to https://www.yubico.com/genuine/

Install

brew install gnupg yubikey-personalization hopenpgp-tools ykman pinentry-mac

There is a private key file stored on your machine, but your private SSH key is a reference to the security key device itself. If your private key file on your computer is stolen, it would be useless without the security key.

# where the “sk” suffix is short for “security key.”
 ssh-keygen -t ecdsa-sk -C <email address> 
 ssh-keygen -t ecdsa-sk -O verify-required # password-less
 ssh-keygen -t ed25519-sk

passphrase

Configure SSH-agent to always use the Keychain

Add the following lines to your ~/.ssh/config file:

Host foo
  HostName foo.com
  User fooUser
  IdentityFile ~/.ssh/foo

Host bar
  HostName bar.com
  User barUser
  IdentityFile ~/.ssh/bar
########################
# Keep the default configuration 
#  as the last item in this file
Host *
  UseKeychain yes
  AddKeysToAgent yes
  #IdentityFile ~/.ssh/id_rsa
  IdentityFile ~/.ssh/foo
  IdentityFile ~/.ssh/bar

Any key you add to the ssh-agent using the ssh-add --apple-use-keychain ~/.ssh/[your-private-key] command will be automatically added to the keychain, and should be automatically loaded upon reboot.

You should be able to see the keys in the Keychain Access app, as well as from the command line via:

ssh-add -l

Static secrets

To auto type secret, Press and hold the Yubikey button for 3-4 seconds.

Reference

The Yubikey can be configured to type in a string when its button is long-pressed. To setup, follow blog

YubiKey
Software
Software
Yubikeys for Static Secrets
YubiKey-Guide
Git SSH Authentication on macOS
How can I permanently add my SSH private key to Keychain so it is automatically available to ssh?
Storing the same SSH key on multiple Yubikeys?
Store SSH keys in the Secure Enclave