[jopsen]

Curious, if you delete the stub in ~/.ssh/id_ed25519_sk, can you then recover the key?

Or does the on-the-fly key generation use random bytes stored in the stub?

[xaduha]

I suggest testing it yourself in any case, I don't think this article is correct in this. I did try it in the past with Google Titan and not a Yubikey and I could be wrong.

EDIT: `-O resident` might be what is doing it though, I wasn't aware of this option.

[TimWolla]

> EDIT: `-O resident` might be what is doing it though, I wasn't aware of this option.

Indeed. This will use FIDO 2 Discoverable Credentials / Resident Keys. Those are fully stored on-key (but their number is limited): https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Gu....

Non-resident keys will basically give out the private key encrypted with a static master key as the key handle and thus support an unlimited number of keys. If you lose the key handle, then the key is gone. That's probably what you were experiencing with your Titan.

[jopsen]

> Non-resident keys will basically give out the private key encrypted...

I thought U2F took a random string from the caller and derived the private key that..