My last blog post was about encrypting backups. The backups can easily be decrypted on my local computer with gpg --decrypt. But what if the data is to be decrypted on a remote server? The whole thing is more difficult because the required Yubikey is not available on the remote computer. This means that the private key stored on the yubikey cannot be accessed either. But here again I realized that linux simply does a lot of things better. So here is a way to get the Yubikey into a remote machine.

how does it work

First of all, we need to understand that we have a GPG agent on our local machine which takes care of the publication of our inserted Yubikey. All applications that interact with the Yubikey do this via the said gpg-agent.

The gpg-agent provides us with sockets that we can use to communicate with the agent and the associated Yubikey. To get the current sockets we can ask the agent with the following command

gpgconf --list-dirs agent-socket

this gives me /run/user/1000/gnupg/S.gpg-agent

With this Socket it is possible to do a forwarding of exactly this socket to a remote server via ssh. The Remote Server must also have gpg-agent installed and running. On top we need a Configuration Parameter in our ssh-server on the remote machine that allows ssh to overwrite existing sockets.

needed server configuration

On the Remote Server we need the following things to be done:

1. gpg-agent must be installed on the server
2. add StreamLocalBindUnlink = yes to your /etc/ssh/sshd_config and restart sshd
3. create a gpg.conf in ~/.gnupg/ with use-agent as content (echo use-agent >> ~/.gnupg/gpg.conf)

howto forward

After you have made the necessary settings on the server, you can take your yubikey to the remote machine with the following ssh command.

ssh -R /run/user/0/gnupg/S.gpg-agent:/run/user/1000/gnupg/S.gpg-agent user@remotehost.com

in the example shown I connect the GPG socket of the user root on the remote server with the socket of my user (1000). the userids can of course differ and therefore it is important to query the correct paths with gpgconf.

i use ssh config for setting such things on every connect. the needed parameter for this in ssh config is RemoteForward <RemoteSocket> <LocalSocket>

Afterwards my local connected yubikey gets fully recognized by the remote gpg-agent. you can check this on the remote host with gpg --card-status