DEV Community

Cover image for Authenticating GitOps with U2F keys

Posted on • Updated on

Authenticating GitOps with U2F keys

Alright let's clock in, it's 9:23 am.

I was excited last week to find out Github now supports SSH keys with FIDO or, err, Yubikeys (was it U2F keys?), anyways, here's the official post.

I can't say I am a huge advocate, however I do use the keys quite a bit for my most critical stuff.

I was introduced first to the standard by finding out about Google's Advanced Protection Program (more on that here). On the other hand and from experience, I can say it's a very promising authentication factor.

Back to business

According to Github, I just need to:

  • Run
ssh-keygen -t ecdsa-sk -C <email address>
Enter fullscreen mode Exit fullscreen mode

(note on the -sk there: that seems to instruct OpenSSH we're using an external key; which is cool and seamless).

  • Finish set up by plugging and touching the key thingie
  • Add my public key to github
  • Profit

Let's see if it's as easy as that!
Also by the way, I'm on MacOS 🤠


Word or warning: You need OpenSSH 8.2 or newer to do this...

Got an error: Key enrollment failed: invalid format. Gonna try plugging the key... Works!

Exporting the key to github is easy too; just follow this.

And then finally just trying to clone a random repo would confirm if that worked...

It worked!

Screen Shot 2021-05-15 at 10.17.45

This is so easy I am astounded. Gonna tell my friends at work.


This can be a big deal for security

Imagine for example a company wanting to enforce SSH security protocols for users accessing their corporate networks, but then an engineer uses a weak passphrase or none at all for their key.

Compromising that single private key can turn out into a raging fire inside the company. With this, your private key never exits the physical USB drive, that's the reason it's so cool!

Anyways, clocking out; it's 10:21am and I even got a chance to take a snap of my FIDO key for the cover image. Sweet. Now back to Kingdom Hearts.

P.S. 2
^ Re Cover Picture: Bet most your friends would be scared to share a pic of their private key, hah.

See you next time.

Top comments (0)