Using Crayonic KeyVault with GitHub

We can confirm that indeed GitHub now supports FIDO2 security keys and KeyVault works great with it! Here are the steps to start using SSH keys protected by your biometrics on KeyVault:

Make sure you have OpenSSH v 8.2 or later installed.


Create resident key on the KeyVaut by running:

$ ssh-keygen -t ecdsa-sk -O resident -O verify-required


This will create two files, the first is id_ecdsa_sk.pub, which is an OpenSSH public key file whose contents you’ll need to paste into the new SSH key form on GitHub. The second file "key handle" id_ecdsa_sk is a stand-in for a private key that points to your KeyVault.

To use the SSH key on another computer, make sure you have ssh-agent running and run:

$ ssh-add -K


This will load a “key handle” file into the SSH agent or to import the key handle permanently, run instead:

$ ssh-keygen -K


This will write two files into the current directory: id_ecdsa_sk_rk and id_ecdsa_sk_rk.pub. Now you just need to rename the private key file to id_ecdsa_sk and move it into your SSH directory:

$ mv id_ecdsa_sk_rk ~/.ssh/id_ecdsa_sk


Every time you will do any remote operations with GitHub from now on, you will need to have the KeyVault and confirm the transaction explicitly with your fingerprint or pin code.

This way you can easily work on any computer with your keys safely kept on you.