Rotate derived SSH/GPG keys


Am I right in thinking that if I later wish to rotate SSH/GPG derived keys I’ve used from my OnlyKey I have to completely reset it? From what I understand the random key from which the SSH/GPG keys are derived is generated once at setup and cannot be altered afterward?


No you would not need to reset device. You could either use a different email to generate a different key or if you must keep the same email you could use a different timestamp which will also generate a different key like this - OnlyKey SSH/GPG agent | Docs

If you want more control over keys you could also use stored keys - OnlyKey SSH/GPG agent | Docs

Thanks - does using different timestamps apply to GPG only though? I could not see an option to specify timestamp with onlykey-agent for SSH.

Yes, for ssh you could just pass whatever identity you want to use like this:

$ onlykey-agent identity -- ssh user@server
1 Like