A lot has become clear to me since this tip from Tim
ssh-keygen -t ecdsa-sk
& ssh-keygen -t ed25519-sk
generated keys work great with OnlyKey for serverlogin.
Resident keys get stuck on invalid format:
marco@t520:~$ ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/id_mykey_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
Key enrollment failed: invalid format
marco@t520:~$ ssh -V
OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1n 15 Mar 2022
Edit: Oh damn I got it
Hints: onlykey-cli is only needed on one device.
onlykey-cli set-pin
ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/id_ed25519_sk
After that, you can put the OnlyKey in all other devices and download all available resident keys & write public/private key files with “ssh-keygen -K”. Or add resident keys directly to ssh-agent without writing files to the file-system using “ssh-add -K”.
See OpenSSH 8.2 Release Notes: FIDO2 resident keys
marco@w530:~$ ssh-keygen -K
Enter PIN for authenticator:
You may need to touch your authenticator to authorize key download.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Saved ED25519-SK key to id_ed25519_sk_rk
Incredible, an SSH key on a PIN-protected USB token. Works everywhere, no other tools needed except OpenSSH 8.2. SSH-key is also PIN+password protected.
I will still test backup & restore on other OnlyKeys.