[FEATURE] Integrate hwsecurity to leverage PIV (for Solo v2 keys) #1486
Comments
colemickens
added
C-feature
|
I don't have the time yet to actually look through the code but the simple fact that none of the maintainers own a SoloKeys product (to my knowledge) makes it a non-starter for us to work on it. If someone can volunteer time to contribute this I'd be happy to assist them. Alternatively, sponsoring one of the maintainers for their time and whatever the cost ends up being for procuring one of Solo's security keys can also be an option if anyone from @android-password-store/devs is up for it. |
msfjarvis
added
A-auth
|
We'd be happy to send over a few keys for contributors, just drop an email to hello@solokeys.com if there is developer interest. Thinking experimentally, there are a few projects named "passage", i.e. pass backed by age instead of pgp, including some with PIV backend. Also FYI, Nitrokey has plans to develop a PGP app, that would then run on both vendors' keys as they reuse our Trussed framework. |
Great, I'll have a chat with the maintainers and see who all are willing to take this feature up.
I've already been burned by OpenKeychain's poorly designed app locking us into its ecosystem then going into maintenance mode, so I'm very unlikely to switch to a different external app for PGP anytime soon. We're in the process of introducing a new PGP backend powered by Gopenpgp which we intend to fully switch over to in APS v2. Re: passage and PIV, we've refactored a fair chunk of the crypto code to allow multiple backends and there is maintainer interest in age, so we will likely be supporting it once Filippo's official version of passage is out. |
|
I'm very much looking forward to replacing my usage of GPG with hardware tokens for SSH authentication and pass encryption with PIV/age. I don't think the age ecosystem is quite there yet though, but it also doesn't make sense to implement PIV support now if not backed by age. Based on my understanding of the ecosystem, the following parts are still missing:
Once these exist, I would happily work on the following ingredients on getting age support into APS:
|
msfjarvis
added
the
S-help-wanted
|
Status update on the required components
Filippo has an alpha release available for his port of
This has yet to happen in the reference Go implementation, but the rage implementation written in Rust offers a first-party Yubikey plugin: age-plugin-yubikey.
This does not exist yet. It's briefly discussed in the age-plugin-yubikey README noting why this is currently unimplemented. |
|
I'm working through the list on my side and making progress! :) https://twitter.com/FiloSottile/status/1469041023196221444 Feel free to @ me if I can help with roadmap planning, design decisions, or fixing things on our side to make this possible! |
Is your feature request related to a problem? Please describe.
Not really.
Solo Keys is having a v2 with Rust-based firmware. It seems, at launch, they expect to only provide a PIV-based application, and not an OpenPGP-based application.
I understand that on Windows and Linux, I have options, such as using
gnupg-pkcs11-scd.Describe the solution you'd like
Using this GPLv3 library to perform encrypt/decrypt operations via PIV/smartcard : https://github.com/cotechde/hwsecurity/tree/master/hwsecurity/piv/src/main
Describe alternatives you've considered
The only alternative seems more expensive: write an OpenPGP app for the Trussed firmware.
Additional context
n/a
Thank you very much for Password Store. I understand if this is out-of-scope, but I thought I'd ask, I'd really like to switch to open-(firmware-)source keys.
The text was updated successfully, but these errors were encountered: