rgb.sh RSS

macOS YubiKey Setup

June 16 2023

How to use a YubiKey with SSH and GPG on macOS Ventura.

I use a YubiKey on my personal devices to store my SSH and GPG keys. In theory this is for security reasons, but in practice I think this was just for fun.

Anyway, getting this set up on my MacBook hit way more issues than I anticipated, so I put together this post collecting everything I had to do. I’ll be assuming that you are using Homebrew, but note that this was done on an Intel MacBook so paths are likely different for Apple Silicon.


Creating *_sk Keys

SSH supports creating security-key-hosted *_sk keys, which are required if you want your SSH keys on your YubiKey. Currently, these are id_ecdsa_sk and id_ed25519_sk.

See Yubico’s page on Securing SSH with FIDO2 for details on creating *_sk SSH keys on your YubiKey.

Using *_sk Keys

The built-in ssh on Ventura has support for *_sk keys removed for whatever reason. You’ll need to install openssh from Homebrew to get support:

brew install openssh

This loses Apple’s Keychain integration, but as I don’t use that feature anyway this isn’t a loss.

Next, you’ll need to download the configuration file in Lorenz Bauer’s GitHub Gist. This let’s us use Homebrew’s ssh-agent instead of the built-in version lacking *_sk support. Place this file at Library/LaunchAgents/homebrew.com.openssh.ssh-agent.plist and run:

launchctl load Library/LaunchAgents/homebrew.com.openssh.ssh-agent.plist

Without this, attempts to add keys to the ssh-agent (e.g. ssh-add) will start the built-in ssh-agent and fail.

Forwarding SSH Keys

If your remote machine only has an *_sk type SSH key, you’ll need to forward your local keys for SSH operations (e.g. pushing git commits) as you can’t touch the remote YubiKey for validation. To do so, you’ll want to make the following changes to ~/.ssh/config:

AddKeysToAgent yes

Host server_name
  ForwardAgent yes

AddKeysToAgent automatically adds keys to your agent on use, while ForwardAgent makes your local keys available on the remote machine server_name. I’ve put ForwardAgent under a Host because it’s not a great idea to be forwarding all of my keys by default. See the ssh_config man page for more details on these options.

You can use ssh-add -L while connected to the remote machine to confirm your local keys are available.

Visual Studio Code

VSCode grabs the built-in ssh by default, but that can be fixed with a change to your settings.json:

  "remote.SSH.path": "/usr/local/bin/ssh",


Adding a GPG Key to YubiKey

You’ll need to install gnupg from Homebrew:

brew install gnupg

See Yubico’s article Using Your YubiKey with OpenPGP for details on how to create GPG keys and then add them to your YubiKey.


In order to use a GPG key on a YubiKey, you’ll have to enter a PIN. By default, GPG was not configured correctly to ask for a PIN; instead, I would hit an IO error when GPG failed to show the PIN prompt. I found the easiest fix to be configuring gpg-agent to use pinentry-mac, which can be installed with:

brew install pinentry-mac

This can then be activated by adding the following to ~/.gnupu/gpg-agent.conf:

pinentry-program /usr/local/bin/pinentry-mac

and running:

gpg-connect-agent reloadagent /bye

There are other versions of pinentry which can be configured based on preference (e.g. pinentry-curses or pinentry-tty).

Signing Git Commits

If you want to sign your git commits (and get the nice “Verified” label on GitHub), you just need to add the following to your ~/.config/git/config (or ~/.gitconfig):

  gpgsign = true
  signingkey = PUBLIC_KEY

See the git manual for more details.

Oh My Zsh

Oh My Zsh includes plugins to start both ssh-agent and gpg-agent, which you can add in your ~/.zshrc:


# Assuming macOS is my laptop
# Need ssh-agent on client and gpg-agent on server
if [[ "$(uname)" == "Darwin" ]]; then

See the ssh-agent README for more details on options.

Note that if the ssh-agent plugin is active on your remote machine it will override your forwarded keys!