Add / use RSA gpg [A] Authentication key?

I’m having an issue trying to put my existing PGP subkeys onto the OnlyKey as a “stored key”.
I have 3 subkeys I’d like to use (as I currently do on my Yubikey)

My gpg key looks like this:

sec#  rsa4096/0xC0C076132FFA7695 2016-02-01 [C]
      Key fingerprint = 9386 A2FB 2DA9 D0D3 1FAF  0818 C0C0 7613 2FFA 7695
uid                              Jonathan Cross <jcross[at]>
uid                              [jpeg image of size 2772]
uid                              website (
ssb>  rsa2048/0xD8578DF8EA7CCF1B 2016-02-01 [S]
ssb>  rsa2048/0x8E1719FE1E8DA9B9 2016-02-01 [E]
ssb>  rsa2048/0x397428FC5BA60C24 2016-02-01 [A]

I don’t see any documentation or clear explanation on how to add / use the [A] (authentication) key.
If you are not aware, these are commonly used with ssh.

Can you please point me to detailed instructions on how to add these subkeys to my OnlyKey using the GUI desktop app? I am not interested in adding the primary (aka Master) key.

I tried for an hour and just kept getting strange errors, or no response at all from the app.


  • Should each subkey be done separately?
  • Why is there no explicit [A] Authentication key option?
  • How do I know if it was successful?

** One tricky issue is that I am doing all of this on an air-gapped computer which is extremely locked down… so no onlykey-agent and very few options to install packages.

Okay, I did a bunch more hunting and found this:

It seems there is a crude way to extract multiple subkeys with a python script and then load them onto the OnlyKey. Much more hassle than I’d expect (can’t run pip to install packages on an air-gapped machine for example). I hope this evolves into proper support for subkeys eventually.

Here I am asking about 2048bit RSA Authentication subkey:

Yes, while the app supports common GPG keys in OpenPGP format there are variations with multiple subkeys that are not supported currently. We will add support in the app for this soon.

  • Why is there no explicit [A] Authentication key option?

Authentication keys are just signing keys that GPG knows to use for signing authentication blobs. There is no difference in the keys themselves on the device so the device does not have this flag.