Hardware-based SSH/GPG/age agent

This project allows you to use various hardware security devices to operate GPG, SSH and age. Instead of keeping your key on your computer and decrypting it with a passphrase when you want to use it, the key is generated and stored on the device and never reaches your computer. Read more about the design here.

You can do things like sign your emails, git commits, and software packages, manage your passwords (with pass and passage, among others), authenticate web tunnels and file transfers, and more.

See the following blog posts about this tool:

• TREZOR Firmware 1.3.4 enables SSH login
• TREZOR Firmware 1.3.6 — GPG Signing, SSH Login Updates and Advanced Transaction Features for Segwit
• TREZOR Firmware 1.4.0 — GPG decryption support
• A Step by Step Guide to Securing your SSH Keys with the Ledger Nano S

Currently TREZOR One, TREZOR Model T, Keepkey, Blockstream Jade, Ledger Nano S, and OnlyKey are supported.

Components

This repository contains source code for one library as well as agents to interact with several different hardware devices:

• libagent: shared library
• trezor-agent: Using Trezor as hardware-based SSH/PGP/age agent
• ledger_agent: Using Ledger as hardware-based SSH/PGP agent
• jade_agent: Using Blockstream Jade as hardware-based SSH/PGP agent
• keepkey_agent: Using KeepKey as hardware-based SSH/PGP agent
• onlykey-agent: Using OnlyKey as hardware-based SSH/PGP agent

The /releases page on Github contains the libagent releases.

Documentation

• Installation instructions are here
• SSH instructions and common use cases are here
• GPG instructions and common use cases are here
• age instructions and common use cases are here
• Instructions to configure a Trezor-style PIN entry program are here
• Instructions for using the tools on Windows are here