Sign/encrypt files with Nitrokey

[4jNsY6fCVqZv]

What it says on the tin! This issue is thematically well suited to the following discussions: elementary/pantheon-agent-polkit#33 elementary/pantheon-agent-polkit#40 elementary/greeter#230 elementary/mail#345 https://github.com/elementary/switchboard-plug-onlineaccounts/issues/89 https://github.com/elementary/installer/issues/368 https://github.com/elementary/appcenter/issues/936

Unlike a Yubikey, it is Free Hardware and Free Software, which is mostly manufactured locally (in Berlin, Germany).

Here you can find more general information: https://www.nitrokey.com/ & https://github.com/nitrokey

This integration can also be used to decrypt your hard disks - see LUKS/LUKS2 - or as a solution for Two-factor authentication in the Installer and Switchboard Online Accounts Plug. Integration with Mail (to sign, encrypt and decrypt emails) and for installing Software with AppCenter it's also very useful.

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/68939643-integrate-nitrokey-support-to-let-users-sign-encrypt-and-decrypt-files?utm_campaign=plugin&utm_content=tracker%2F65602118&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F65602118&utm_medium=issues&utm_source=github).

[4jNsY6fCVqZv]

@jeremypw What do you think about support for actions with a hardware based token in Files? Of course this is also exciting as a cross-system thought as you can see from the other linked issues. But when you first think about the chances and possibilities for Files ...

[jeremypw]

Files should certainly support any system-wide hardware encryption facility. Not sure whether it needs to be, or should be, tied to a particular device. Adding the ability to encrypt/decrypt files easily would be nice if it can be done with a contractor or plugin.

[4jNsY6fCVqZv]

Do you know if the team is already discussing ideas to enable system-wide encryption using hardware tokens? For example, Purism has introduced a way for its system https://puri.sm/products/librem-key/. Basically, that was a branded Nitrokey before they started their own production. Of course the support should not be tied to a particular device. But Nitrokeys are a good reference because they are based on Free Hardware and Free Software.

[jeremypw]

There is a #security channel in the elementary Slack workspace but there does not appear to have been any recent activity. I could post a link to this issue there.

[4jNsY6fCVqZv]

yes, that would be wonderful and supportive. thank you very much!

[jeremypw]

I posted an invitation to comment on this issue in the elementary Slack #security channel (16 members) a couple of weeks ago but so far no response.

[4jNsY6fCVqZv]

Oh, thank you, do you have any idea why? And do you know if Daniel or Cassidy already have thoughts on this subject?

[jeremypw]

@4jNsY6fCVqZv That channel seems to be little used it seems. I have reposted in the general channel.

[4jNsY6fCVqZv]

@jeremypw Thank you, I'm curious! Do you know how far the topic of authentication is already being discussed? There are also some mockups that go in that direction. https://github.com/elementary/pantheon-agent-polkit/issues/33#issuecomment-417801703

[jeremypw]

@4jNsY6fCVqZv I haven't seen anything recent in Slack although I can only search the last 10,000 messages. That polkit issue is interesting though it seems to have stalled. Its not really my area of expertise unfortunately.

[4jNsY6fCVqZv]

@jeremypw Thank you for investigating! Is there a direct contact person for such an issue?

[jeremypw]

I am not sure who the current maintainer of polkit-agent is but @donadigo wrote a lot of the code...

[jeremypw]

I have created a simple contractor for encrypting and decrypting individual files here: https://github.com/jeremypw/gpg_wrapper. As it is an initial release, it may not yet have all the functionality desired.

[4jNsY6fCVqZv]

Thanks for working on this! I think it would be okay for me to close this issue if your tool works well and it is clear that Files doesn't want to offer this functionality out of the box.

[jeremypw]

You might as well leave it open until someone flags it as "Out of scope"