Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Age key support #134

Open
Tomaszal opened this issue Oct 18, 2022 · 6 comments
Open

Age key support #134

Tomaszal opened this issue Oct 18, 2022 · 6 comments

Comments

@Tomaszal
Copy link

As outlined in Mic92/ssh-to-age#14, it would be great if it would be possible to use piv-agent to generate age keys in some way.

Currently the only way to get SSH keys from Yubikey seems to be age-plugin-yubikey. Unfortunately it doesn't seem to be able to use the PIV keys generated by piv-agent. While that itself isn't too big of a deal, it also seems that age-plugin-yubikey cannot run while piv-agent is active, as the PIV device is busy. That means that piv-agent would have to be stopped every time a file needs to be encrypted or decrypted, which is really inconvenient.

Depending on the outcome of Mic92/ssh-to-age#14, it might be possible to get age keys from the SSH keys generated by piv-agent. However, I realised that piv-agent is already generating both SSH and GPG keys, so why not age? @str4d seems to acknowledge that some sort of an agent would be good to implement for age keys, and I have a hunch that piv-agent might already have a lot of the groundwork necessary for that.

@smlx
Copy link
Owner

smlx commented Oct 19, 2022

Yes I'd like to implement this but the current specification for the plugin interface to age is still a work in progress C2SP/C2SP#5

@Tomaszal
Copy link
Author

Hi @smlx, it seems the specification has been merged last year, is this still something you would like to do? With age keys gaining support and git being able to use ssh keys for signing, it feels finally feasible to mostly avoid using pgp keys as a developer. It would be fantastic if piv-agent could provide age keys as imo it still has the best UX out of the physical security key SSH solutions (including yubikey-agent), but the GPG experience isn't great (at not a fault of this project, GPG is just a pain to work with in general), which would be possible to avoid with age.

@smlx
Copy link
Owner

smlx commented Apr 2, 2024

Thanks for the bump, and I totally agree that it would be amazing to eliminate GPG from common development workflows.

age support is still on my TODO list, but not a super high priority for now because ideally we should keep the x25519 key in hardware. Yubikeys are getting PIV support for x25519 sometime soon so once I've got hardware with support I'll be able to implement this feature.

Yes technically piv-agent could use x25519 key files for this, but it just isn't very interesting because for me at least key files are only an emergency fallback mechanism.

@str4d
Copy link

str4d commented Apr 2, 2024

Once I get access to a YubiKey with firmware 5.7.0+, I will add support for native age identities to age-plugin-yubikey, likely following the same pattern as I used for the P-256 slots (storing them in the reserved slots, making them identifiable in the self-signed certificate, and extracting PIN+touch policies from the YK cert extension). It would be great for piv-agent to be compatible with this!

It would also be good to know how piv-agent's existing P-256 YubiKey support is incompatible with age-plugin-yubikey. How are you generating and managing those?

@smlx
Copy link
Owner

smlx commented Apr 2, 2024

I agree it would be nice for piv-agent to be compatible with age-plugin-yubikey. I haven't looked into how you are doing PIN/touch policies, but in piv-agent it is purely convention as described in https://github.com/smlx/piv-agent/blob/main/internal/securitykey/slotspec.go

The generation of certificates in piv-agent is mostly cribbed from the way yubikey-agent does it.

Could you elaborate a bit on how you manage PIN/touch policies in cert extensions for age-plugin-yubikey?

@Tomaszal
Copy link
Author

Tomaszal commented May 6, 2024

Yubico says "security keys with firmware 5.7 will be available to purchase in late May 2024" in their latest press release. They also confirmed Ed25519 and X25519 PIV support in the new firmware.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants