Understanding OnlyKey SSH/GPG Agent

After perusing the docs, I’m having trouble understanding Onlykey’s ssh & gpg workflow. Do ssh/gpg private derived keys ever leave the device?

If the private key is revealed through the onlykey agent, with ssh it looks like you can setup fido2 resident credentials to achieve the same result. I didn’t see a workaround for gpg keys though. Based on the repository onlykey-agent is forked from, onlykey actually uses a derived child key, so even this wouldn’t be an issue. Is that accurate, or am I way off base?

The motivation behind my questions are:

  1. Determining if there’s any disadvantage to using a gpg-based password manager like pass, over keepassxc. Since keepassxc can be setup with fido2 challenge-response, my understanding is that the private key won’t leave onlykey.
  2. Determining if there’s any disadvantage to using ssh onlykey agent versus fido2 resident credentials.

Maybe some documentation on ssh/gpg workflow would help other users?

P.S. Brilliant device. The attention to detail is incredible.

1 Like

After perusing the docs, I’m having trouble understanding Onlykey’s ssh & gpg workflow. Do ssh/gpg private derived keys ever leave the device?

You can either use derived keys which are generated on and stay on OnlyKey or stored keys which are standard OpenSSH or GPG keys you generate yourself and load onto OnlyKey. Both have different advantages, with stored keys you generate your own keys and maintain the backup.

The motivation behind my questions are:

  1. Determining if there’s any disadvantage to using a gpg-based password manager like pass, over keepassxc. Since keepassxc can be setup with fido2 challenge-response, my understanding is that the private key won’t leave onlykey.

This depends. With KeepassXC if you have both a password and CR set up that is essentially two factors. Keep in mind KeepassXC does not support fido2 that is something different. With GPG on OnlyKey you still have two factors required with a PIN to unlock OnlyKey and a PGP key.

  1. Determining if there’s any disadvantage to using ssh onlykey agent versus fido2 resident credentials.

The onlykey agent has advantage of allowing unlimited number of accounts (resident credentials are limited). Also works with other tools and pretty much anywhere that SSH will work on Linux/Mac. Fido2 requires newer version of OpenSSH but will also work with Windows.

After perusing the docs, I’m having trouble understanding Onlykey’s ssh & gpg workflow. Do ssh/gpg private derived keys ever leave the device?

You can either use derived keys which are generated on and stay on OnlyKey or stored keys which are standard OpenSSH or GPG keys you generate yourself and load onto OnlyKey. Both have different advantages, with stored keys you generate your own keys and maintain the backup.

Is it accurate to say that a keylogger isn’t considered a threat in either scenario, then? Since neither set of keys are typed out on my machine, like a password, at any point in time.

Thanks for correcting me. I conflated the onlykey challenge response feature with fido2’s.

Key logging is only a threat with key entry. Of the scenarios mentioned the only key entry would be the password used thats why 2nd factor, the challenge response is important. SSH and GPG are not susceptible to key logging as there is no key entry.

Thanks for the quick and detailed responses.

In case it helps anyone, I’ll probably go with a gpg-based password manager since keepassxc hmac-sha1 isn’t truly two-factor.