search

FiloSottile / age

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
https://age-encryption.org
BSD 3-Clause "New" or "Revised" License
17.26k stars 506 forks source link

Hardware tokens #137

Closed vext01 closed 3 years ago

vext01 commented 4 years ago

Hi there,

This isn't really a bug report.

I was wondering if there's any plan to allow the use of hardware tokens (like yubikey) with age?

I'm super-keen to ditch gpg, but I'd also like to be able to use my yubikeys!

Thanks

bdd commented 4 years ago

It is. Check out the "Later" section at https://age-encryption.org/v1

Author already implemented the necessary PKCS#11 handling parts for another project at https://github.com/FiloSottile/yubikey-agent. Maybe someone will contribute such code, maybe the author will add the feature when they can find time.

str4d commented 4 years ago

This is blocking on the plugin system (currently under design), which is how we plan to support hardware tokens. I implemented an initial draft of YubiKey support in https://github.com/str4d/rage/pull/25, but it's likely to be revised once reworked as an age plugin.

vext01 commented 4 years ago

That's great news! Thanks!

Shall I close this, or would it be useful to keep it open?

tv42 commented 4 years ago

As far as I understand, https://github.com/go-piv/piv-go/issues/79 is needed to do ECDH with Yubikeys from pure Go (EDIT: as pure as it gets, at this time). Input on the API would be welcome, I guess? Just doing a drive-by contribution...

joonas-fi commented 4 years ago

Related: #142

tv42 commented 3 years ago

Heads up: I have a age-plugin-yubikey prototype that just started working right. It relies on the plugin mechanism implemented in rage v0.5.0. Next up: clean up the code base, then I'll publish it with a big "unstable format" sticker.

str4d commented 3 years ago

@tv42 if you haven't seen it, I already have a YubiKey Rust plugin at https://github.com/str4d/age-plugin-yubikey which is working (the full impl is in this branch and I'm incrementally cleaning it up and merging to main); if you're building something in another language, we should sync to ensure you are using the same protocol.

tv42 commented 3 years ago

@str4d I read your plugin but only found the nonfunctional code on master. Will take a second look.

tv42 commented 3 years ago

@str4d My code is now format-compatible with yours, you can mix & match encryption and decryption plugins and everything works. Clean up and then publishing...

tv42 commented 3 years ago

Here's my implementation of Yubikey support as a plugin: https://github.com/tv42/yubage

Nudge @str4d