Ssh/gpg passphrase entry as well as pin entry

I use gpg-agent for my ssh/gpg keys right now, and like the passphrase entry for the key

Is it possible to have to unlock the onlykey with the pin as well as use the passphrase once the onlykey is unlocked?

I cant find anything when searching for answers, or is there a way to point gnupg at the onlykey as the location for gpg/ssh keys?

You may be able to add additional settings using GPG once its set up, for example you can add key expiration after identity creation using the gpg command - OnlyKey SSH/GPG agent | Docs

The onlykey software has you enter the passphrase when moving the key otno the onlykey. So I don’t see how you could then get the onlykey to require the passphrase.

It’s not a gpg setting I am looking for it is a option in the agent, so I can’t use the gpg command

Oh I thought you were looking to require a PIN + gpg passphrase. That is your PGP key passphrase, PGP private keys are stored in an encrypted format on disk and require a passphrase to use them. This is completely separate from OnlyKey as OnlyKey does not store any keys on disk, keys are used without leaving your OnlyKey.

I was looking to require both a pin and gpg passphrase, (I have just tried to use the ssh key so far)

my ideal workflow would be:

  1. enter pin on onlykey
  2. initiate ssh connection
  3. popup asking for passphrase to unlock key appears
  4. enter passphrase and ssh session connects

My current config with ssh keys stored in my home directory with gpg-agent is:

  1. initiate ssh connection
  2. prompt for passphrase
  3. enter passphrase, ssh session connects

It is extremely insecure to store the private key unencrypted on the hard disk, because any program or user with access rights will be able to extract and copy it, so the GPG program allows you to set a passphrase to protect (encrypt) your private key. Even if it is encrypted with a passphrase, the private key is not safe because it needs to be decrypted and stored in memory when performing private key operations. At this time, if the memory is dumped, the private key may still be exposed.

So there is another solution: a hardware security module, a device that can store private keys and perform decryption and signature operations. By generating or storing the private key in the HSM, any decryption and signature will not cause the private key to leave the HSM, only the information to be processed and processed information will enter and exit the HSM, and the private key itself cannot be leaked. The HSM itself uses methods, such as PINs, to identify users, and some security keys also have touch authentication to prevent remote attacks.

OnlyKey can be used as an HSM device. The difference from other devices is that it provides encrypted backup and allows private keys to be exported, while still protected by PIN.