Tdd Apps

# How to use your Keybase key for ssh

Jan 15, 2017 3 minute read

Extracting an RSA key out of Keybase is not straightforward for security beginners. These are the steps I took to automate the process.

The problem

Manually managing usernames and passwords for ssh into servers can be a difficult task. All those different passwords need to be backed up, synchronized across multiple computers, and typed every single time. Although password managers mitigate the credentials problem there’s a better mechanism to remote into boxes without typing passwords. The process involves generating public and private RSA key files.

These RSA keys need to be backed up and shared across different computers. While some use Dropbox to keep their keys synchronized others use Keybase. It is an online service to store PGP keys and map them to public identities such as Twitter accounts and domain registrations.


  1. Have a Keybase account.
  2. Have a working Docker installation


The following commands generate ssh keys out of the Keybase PGP keys

docker run -it --rm -v $TMP_KEY_STORAGE:/home ubuntu:16.04 /bin/bash

apt-get update -y
apt-get install curl monkeysphere -y
curl -O
dpkg -i keybase_amd64.deb
apt-get install -f -y
rm keybase_amd64.deb

groupadd -g 1001 user_data
useradd --create-home -g user_data -u 1001 user_data
su user_data
cd /home/user_data

keybase login

# Exporting your Keybase public key to keybase.public.key
keybase pgp export -o keybase.public.key
# Exporting your Keybase private key to keybase.private.key
keybase pgp export -s --unencrypted -o keybase.private.key

# Import your Keybase public key
gpg -q --import keybase.public.key
# Import your Keybase private key
gpg -q --allow-secret-key-import --import keybase.private.key
# The key import process produces a short hexadecimal hash
# We need to extract this hash and use it to generate the RSA key
# The hash is temporarily saved into hash.key
gpg --list-keys | grep '^pub\s*.*\/*.\s.*' | grep -oEi '\/(.*)\s' | cut -c 2- | awk '{$1=$1};1' > hash.key

ENC_KEY=`cat hash.key`
echo $ENC_KEY

# Generate the RSA private key using the hexadecimal hash
# The private key will be saved in the id_rsa file
gpg --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-keys --no-armor $ENC_KEY | openpgp2ssh $ENC_KEY > id_rsa
# Secure the private RSA key file  
chmod 400 id_rsa
# Generate the public RSA key file  
ssh-keygen -y -f id_rsa >

# Remove all the temporary files  
rm *.key


chmod 400 $TMP_KEY_STORAGE/user_data/id_rsa

Bonus: Replace the default ssh key

# Delete any pre-existing key  
rm -f ~/.ssh/
rm -f ~/.ssh/id_rsa

mkdir -p ~/.ssh/

# Create symbolic links to the default  
ln -s $TMP_KEY_STORAGE/user_data/ ~/.ssh/
ln -s $TMP_KEY_STORAGE/user_data/id_rsa ~/.ssh/id_rsa

Want to know more?

Never miss a post. Subscribe to our newsletter