P256 (ecdsa) key support?

[LRvKochel]

I've been using your lovely ssh-crypt utility for some time. It's great.

I recently started using an app called Secretive. https://github.com/maxgoedjen/secretive that allows use of macOS computers' 'Secure Enclave (SE)' hardware to generate and store ssh keys, and make them available via the ssh agent mechanism.

It would be great to use them together so key storage is enhanced via the SE and then ssh-crypt can be used for encrypt/decrypt operations with those keys. Sadly a limitation of the SE by Apple is that it only supports NIST P256. While (yours and others' implementations of) ssh-crypt has RSA and Ed25519 as options. So ssh-crypt and Secretive can't be used together.

How difficult would it be for you to add P256 key support to ssh-crypt? I see that it is available within python's paramiko module. Unfortunately I am not a python programmer else I'd try the enhancement myself.

Regards

LR.

[Sets88]

The key mechanism of how ssh-crypt works is that when the same data is signed multiple times, it produces the same signature, which is later used as an AES key. Both ssh-rsa and ssh-ed25519 have deterministic signature generation. However, most ECDSA implementations are non-deterministic, and the ssh-agent doesn't provide any options to configure this in their subscription interface. Therefore, it's not possible to use ECDSA for ssh-crypt, at least in its current form. There might be a way to convert a non-deterministic signature to something deterministic, but this requires further research

[LRvKochel]

Thank you very much for the very clear explanation. Much appreciated. Should you decide to further investigate ways of getting ECDSA support to work in the required way, and succeed, I shall look forward to the enhancement. Thanks again.