My last blog post was about encrypting backups. The backups can easily be decrypted on my local computer with gpg --decrypt
. But what if the data is to be decrypted on a remote server?
The whole thing is more difficult because the required Yubikey is not available on the remote computer. This means that the private key stored on the yubikey cannot be accessed either.
But here again I realized that linux simply does a lot of things better. So here is a way to get the Yubikey into a remote machine.
First of all, we need to understand that we have a GPG agent on our local machine which takes care of the publication of our inserted Yubikey. All applications that interact with the Yubikey do this via the said gpg-agent.
The gpg-agent provides us with sockets that we can use to communicate with the agent and the associated Yubikey. To get the current sockets we can ask the agent with the following command
gpgconf --list-dirs agent-socket
this gives me /run/user/1000/gnupg/S.gpg-agent
With this Socket it is possible to do a forwarding of exactly this socket to a remote server via ssh. The Remote Server must also have gpg-agent installed and running. On top we need a Configuration Parameter in our ssh-server on the remote machine that allows ssh to overwrite existing sockets.
On the Remote Server we need the following things to be done:
StreamLocalBindUnlink = yes
to your /etc/ssh/sshd_config and restart sshdAfter you have made the necessary settings on the server, you can take your yubikey to the remote machine with the following ssh command.
ssh -R /run/user/0/gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent user@remotehost.com
in the example shown I connect the GPG socket of the user root on the remote server with the socket of my user (1000). the userids can of course differ and therefore it is important to query the correct paths with gpgconf.
i use ssh config for setting such things on every connect. the needed parameter for this in ssh config is RemoteForward <RemoteSocket> <LocalSocket>
Afterwards my local connected yubikey gets fully recognized by the remote gpg-agent. you can check this on the remote host with
gpg --card-status