Yes, but not directly. While both PGP and SSH use RSA (or other asymmetric algorithms), their key formats and usage protocols differ. SSH requires keys in the OpenSSH format, while PGP keys are typically stored in GPG's proprietary format. However, with minimal client-side conversion, you can repurpose your existing PGP key for SSH authentication.
First, export your PGP private key from GPG:
gpg --export-secret-key -a KEY_ID > private.pgp
Then convert it to PEM format (required for SSH):
gpg --export-secret-key KEY_ID | \ openpgp2ssh KEY_ID > private.pem
Note: The openpgp2ssh tool comes with recent versions of GnuPG.
Once you have the PEM file, generate the SSH public key:
ssh-keygen -y -f private.pem > public_key.pub
This creates the OpenSSH-compatible public key that servers expect.
- Key Type Support: While RSA works well, newer algorithms like Ed25519 may require additional conversion steps.
- Agent Integration: Add your converted key to ssh-agent for convenience:
ssh-add private.pem
~/.ssh/authorized_keys as usual.For frequent use, create a script to handle the conversion:
#!/bin/bash KEY_ID=$1 TMP_FILE=$(mktemp) gpg --export-secret-key $KEY_ID | openpgp2ssh $KEY_ID > $TMP_FILE ssh-keygen -y -f $TMP_FILE rm $TMP_FILE
Using the same key for both PGP and SSH means:
- Compromise of one system affects both
- Consider using separate subkeys for SSH if your threat model requires it
- Regular key rotation becomes more critical
The question of whether PGP keys can double as SSH keys arises from their shared cryptographic foundations. Both systems use RSA (among other algorithms), but their key formats and usage protocols differ significantly:
# Typical SSH RSA key header
-----BEGIN RSA PRIVATE KEY-----
# Versus PGP key header
-----BEGIN PGP PRIVATE KEY BLOCK-----
The fundamental incompatibility stems from:
- Different ASN.1 encoding formats
- PGP's additional metadata (user IDs, expiration, etc.)
- SSH's expectation of a specific key format
While server-side modifications would be ideal, here's a client-side approach using only widely available tools:
# Extract raw RSA components from PGP key
gpg --export-secret-key --armor your_key_id | \
gpg --export-options export-reset-subkey-passwd --export-secret-subkeys - | \
openpgp2ssh > ~/.ssh/id_rsa_from_pgp
# Set proper permissions
chmod 600 ~/.ssh/id_rsa_from_pgp
Important considerations when using this method:
| Factor | Impact |
|---|---|
| Subkey usage | Must use authentication-capable subkeys |
| Passphrase handling | SSH agent may not handle PGP passphrases well |
| Key expiration | SSH won't honor PGP expiration dates |
For those willing to install minimal client software, gpg-agent can act as an SSH agent:
# In ~/.bashrc or equivalent
export GPG_TTY=$(tty)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
Using PGP keys for SSH introduces additional attack surface:
- Compromised SSH access now affects PGP trust
- Different revocation mechanisms between systems
- Potential for weaker subkeys to be used
Here's how to configure SSH to use a converted PGP key:
# ~/.ssh/config example
Host github.com
IdentityFile ~/.ssh/id_rsa_from_pgp
IdentitiesOnly yes