Open Ciantic opened 3 years ago
I think I may misunderstand what age-plugin-yubikey
does... Maybe if I use yubico-piv-tool
and move the SSH key there, I can then use age-plugin-yubikey
to access the SSH key for encryption/decryption.
This plugin adds hardware token support to age
by storing a NIST-P256 key in the PIV applet.
We don't currently have support for importing an existing key, but if we did, and added support for SSH keys, it would need to be using the same curve as above. We will therefore not support ssh-rsa
keys (which don't match what the plugin's protocol requires) and cannot support ssh-ed25519
keys (which use a curve that YubiKey's PIV applet doesn't even support). Given that those are the only two SSH key types natively supported by age
for backwards-compatibility, it's unlikely we'll add SSH key support natively to this plugin.
That being said, the plugin can use manually imported keys, so if you import your P256 key into one of the retired slots using a tool that can do that (Yubico's CLI tool can, IIRC their GUI tool can't), you should then be able to use age-plugin-yubikey
to generate the corresponding recipient and identity.
Note that you can't use your SSH pubkey for encryption, it will be a specific recipient (which is necessary in order for the age
clients to trigger the correct plugin), but the decryption would be using the same key (just stored in a different applet). Because of this, I don't really see the benefit to doing this, as the whole point of supporting SSH keys was to enable reusing an existing pubkey. Given you'll need to start using a separate recipient string, it may as well correspond to a fresh key.
(There's separately rationale for the ability to import keys, as "enabling the key to be backed up outside the YubiKey", but I argue it's much better to instead just have multiple YKs and encrypt to all of them at once using a recipient file, and then add/remove YKs as necessary for rotation.)
Thanks for your answer. I'm investigating this myself.
Simply put I'm trying to do this: Allow ssh-agent/encryption/decryption using rage/age
with just my SSH key stored in YubiKey.
Use case: Suppose someone sends me encrypted file using https://github.com/Ciantic.keys with rage then I'd like to decrypt it with key stored in YubiKey.
Mostly the confusing part is the YubiKey, with multiple tools and unhelpful errors. Not a fault of this program, the YubiKey is very unclear what is possible and what isn't.
Edit: Oh yeah, I'm experimenting with SSH-ED25519 key, trying to upload it to PIV slot.
Use case: Suppose someone sends me encrypted file using https://github.com/Ciantic.keys with rage then I'd like to decrypt it with key stored in YubiKey.
This could work, if it contains a P256 SSH key and someone transforms that SSH key into the correct age-plugin-yubikey
format. So not Just Works, but possible.
Edit: Oh yeah, I'm experimenting with SSH-ED25519 key, trying to upload it to PIV slot.
Only recent YubiKeys (manufactured after - [ ] November 2019 IIRC) support curve25519, and I'm not sure whether they do so in the PIV applet. That's why we picked P256 instead.
I've taken a look at the specification and it seems that PIV does not support curve25519, only P256 and P384. However, it does support RSA 1024/2048. The yubikey, according to this also does have a slot for RSA2048.
I am not security expert by any means, and I have no clue if it is even possible to make àge work with RSA2048. I just wanted to point these two findings out!
I've taken a look at the specification and it seems that PIV does not support curve25519
Related #174
Worth pointing out that the Yubico docs on the supported algorithms for the Yubikey 5's "PIV-compatible" smartcard functionality claim it supports Ed25519 from firmware version 5.7 onwards:
The YubiKey 5 Series supports the following algorithms on the PIV smart card application.
Firmware Versions | ||
---|---|---|
Algorithm (Identifier) | 5.0.x - 5.6.x | 5.7.x |
… | ||
Ed25519/x25519 (0xe0) | yes |
Edit: literally what @pinpox was just pointing out. Note to self: read the related issues before posting :smile:
What were you trying to do
Upload SSH key to YubiKey
What happened
I have no idea how to do it! I was pointed to here from elsewhere. Currently I have nice setup where I have SSH key in YubiKey using OpenPGP. I can generate SSH key using OpenPGP then make paper backup of it, store it to Yubikey and authenticate using pgp agent.
I'm trying to replicate this behavior with age/rage, but can't figure out how can I upload my SSH key to the YubiKey.
I suspect it's not possible to generate SSH key on my computer (to make backup of it) and store it to YubiKey. Maybe if that's the case it could be mentioned. If that is the case, I have to stick with OpenPGP generated SSH key, which can be uploaded using yubikey management tools.