Open str4d opened 1 year ago
str4d
commented
1 year ago We want to ensure that a YubiKey set up by age-plugin-yubikey is usable with yubikey-agent, so we use the same management setup (PIN-protected management key, PUK set to PIN) as yubikey-agent. We therefore need to synchronise on AES management key usage, which means we also need to block on https://github.com/go-piv/piv-go/issues/109.
PriceHiller
commented
3 weeks ago It appears https://github.com/go-piv/piv-go/issues/109 has now been resolved and should hopefully no longer be blocking.
What all needs to be done for AES support?
EDIT: appears to still be blocked on https://github.com/iqlusioninc/yubikey.rs/issues/330 ?
str4d
commented
2 days ago I now have a new YubiKey with firmware 5.7.1, and it appears to come with AES as the default management key algorithm. The error message I previously added does trigger correctly (telling the user to switch to TDES).
@PriceHiller yes this is blocked on support in the yubikey crate.
Once https://github.com/iqlusioninc/yubikey.rs/issues/330 is resolved, we should start using PIN-protected AES management keys for YubiKeys that support them. We should also migrate YubiKeys that we previously configured to use a PIN-protected TDES management key, if AES is supported.