age: Integration with OpenPGP Card without a Plugin #40
Comments
It won't avoid a plugin for decryption, because that is how the OpenPGP Card integration would be implemented. But it would avoid a plugin for encryption.
We cannot do this for the
It might be worth considering for a future v2 format though. |
From YubiKey firmware 5.2.3 (https://developers.yubico.com/PGP/YubiKey_5.2.3_Enhancements_to_OpenPGP_3.4.html), X25519 is supported.
When we use X25519 keys in OpenPGP, we can write private keys to a OpenPGP Card(e.g. YubiKey), If we do so, we can protect the private keys with hardware.
We can use the same key pair in age, and this will bring us hardware protected feature with out a plugin.
For OpenPGP Card, send below command to the card via PC/SC:
The we will get the
shared secret, and then the age file can be decrypted.Although it will work, but when we have multiple recipients, I need to try all the X25519 recipient stanzas with OpenPGP Card. But OpenPGP operation is verify heavy, it requires PIN and a touch(If turn the policy on).
So if we want to support OpenPGP Card protected age encrypted files, we need a quick lightweight way to verify X25519 recipient stanza, my suggestion is that add an additional argument to X25519 recipient stanza.
Current X25519 recipient stanza is like this:
Then change to:
RECIPIENTcan beHmac_SHA256(recipient, ephemeral share), with this additional argument we can confirm which recipient is correct quickly.The text was updated successfully, but these errors were encountered: