str4d / age-plugin-yubikey

YubiKey plugin for age
Apache License 2.0
596 stars 26 forks source link

Add support for AES management keys #92

Open str4d opened 1 year ago

str4d commented 1 year ago

Once https://github.com/iqlusioninc/yubikey.rs/issues/330 is resolved, we should start using PIN-protected AES management keys for YubiKeys that support them. We should also migrate YubiKeys that we previously configured to use a PIN-protected TDES management key, if AES is supported.

str4d commented 1 year ago

We want to ensure that a YubiKey set up by age-plugin-yubikey is usable with yubikey-agent, so we use the same management setup (PIN-protected management key, PUK set to PIN) as yubikey-agent. We therefore need to synchronise on AES management key usage, which means we also need to block on https://github.com/go-piv/piv-go/issues/109.

PriceHiller commented 3 weeks ago

It appears https://github.com/go-piv/piv-go/issues/109 has now been resolved and should hopefully no longer be blocking.

What all needs to be done for AES support?

EDIT: appears to still be blocked on https://github.com/iqlusioninc/yubikey.rs/issues/330 ?

str4d commented 2 days ago

I now have a new YubiKey with firmware 5.7.1, and it appears to come with AES as the default management key algorithm. The error message I previously added does trigger correctly (telling the user to switch to TDES).

@PriceHiller yes this is blocked on support in the yubikey crate.