Android SSH with YubiKey OpenPGP: Termux + OpenKeychain + OKC Agent (Subkeys Setup Guide)

[isscbta]

Guide: Android (Termux) + OpenKeychain + OKC Agent for SSH via OpenPGP (YubiKey setup with subkeys)

0) Android: install and basic settings
Install:
• F-Droid
• from F-Droid: OpenKeychain and OKC Agent
• Termux (recommended: also from F-Droid)

Immediately disable Battery optimization / set “don’t optimize” for:
• OpenKeychain
• OKC Agent
• Termux

(On some phones Android kills apps in the background, so the authorization notification can “blink and disappear”.)

⸻

1) On the computer (where you already use YubiKey + OpenPGP)
List keys (to confirm which UID/email you use):

Code: Select all

gpg –list-secret-keys –keyid-format LONG

Export secret subkeys (point: you do NOT export the master key, only subkeys):

Code: Select all

gpg –armor –export-secret-subkeys [email protected] > your-secret-subkeys.asc

Copy the file

Code: Select all

your-secret-subkeys.asc

to Android (e.g. Downloads).

⸻

2) Android: import into OpenKeychain
In OpenKeychain:
• Import → select

Code: Select all

your-secret-subkeys.asc

After import, it may show multiple identities/UIDs or multiple entries (e.g. 3 items with the same email), that is normal.

⸻

3) Android: OKC Agent setup
In OKC Agent:
1. Select GPG Key
Select the key you imported (the email/UID you use).
2. Add SSH Key
Add the SSH identity that OKC Agent offers.

After this, in OKC Agent you should see an SSH identity listed, e.g. something like:

Code: Select all

(502401212q855qms)

⸻

4) Android: Termux (packages + agent)

Update + install:

Code: Select all

pkg update
pkg install openssh termux-auth -y

Check if the agent sees identities:

Code: Select all

ssh-add -L

If it says:

Code: Select all

The agent has no identities.

then step 3 in OKC Agent was not done correctly (Add SSH Key), or the wrong GPG key was selected.

⸻

5) SSH login
Normal:

Code: Select all

ssh [email protected]

Debug when it gets stuck (signing/authorization):

Code: Select all

ssh -vvv -o PreferredAuthentications=publickey -o PubkeyAuthentication=yes [email protected]

When authentication starts, Android shows a notification like:
Authorization Required – Click here to authorize your crypto operation…

Then:
• tap the notification
• OpenKeychain opens a prompt and you confirm (first time it asks for PIN/passphrase, later it usually remembers it)

If the notification “blinks and disappears”:
• verify Battery optimization is OFF for OpenKeychain/OKC Agent/Termux
• verify the apps are not being killed in the background

⸻

6) (Optional) SSH_ASKPASS trick, only if needed
Not always required, but if Termux does not show the prompt properly or you want to force a GUI prompt:

Code: Select all

export SSH_ASKPASS=/data/data/com.termux/files/usr/bin/termux-ssh-askpass
export DISPLAY=:0
export SSH_ASKPASS_REQUIRE=force

Then again:

Code: Select all

ssh [email protected]

⸻

NOTES:

• After closing and reopening Termux, run:

  Code: Select all

  eval $(okc-ssh-agent)
  ssh-add -L

• If you ever get:

  Code: Select all

  ssh [email protected]
  ssh_askpass: exec(/data/data/com.termux/files/usr/bin/termux-ssh-askpass): Permission denied
  Host key verification failed.

  -> use SSH like this:

  Code: Select all

  SSH_ASKPASS= SSH_ASKPASS_REQUIRE=never ssh [email protected]