go install eagain.net/go/yubage/cmd/age-plugin-yubikey
This is an age plugin for PIV cards/Yubikey.
Your secret is kept safe on the tamperproof hardware, while letting you use
the age
command-line.
WARNING: UNSTABLE Age plugins are still in flux. Consider the format unstable, you might need to re-encrypt all your data, and this software might accidentally delete your data, or eat your cat.
At this time, this software doesn't help you generate the crypto keys. However, this should work:
yubico-piv-tool --slot=82 --algorithm=ECCP256 --touch-policy=always --pin-policy=once -a generate -o MY_YUBIKEY_FILENAME.pub
yubico-piv-tool --slot=82 -a verify-pin -a selfsign-certificate --subject='/CN=MY YUBIKEY NAME HERE/O=age-plugin-yubikey/' --valid-days=3650 -i MY_YUBIKEY_FILENAME.pub -o MY_YUBIKEY_FILENAME.cert
# enter pin, touch when lights blink
yubico-piv-tool --slot=82 -a import-certificate -i MY_YUBIKEY_FILENAME.cert
Replace MY_YUBIKEY_FILENAME
and MY YUBIKEY NAME HERE
as you wish.
If you use a "management key" with your Yubikey, add the -k
flag to first and last command (actions generate
and import-certificate
).
Keys are stored in the "retired slots", available starting with Yubikey series 5. Funny name, but it's 20 slots that can be used without stepping on anyone's toes.
TODO we don't at this point have code to make age
recipient and identity strings from the above.
You can use https://github.com/str4d/age-plugin-yubikey branch twitch, for now.
filippo.io/age
, the Go reference implementation, does not support plugins as of 2021-02-01.
rage
, a Rust implementation, supports plugins in a post-v0.5.0 commit 9f824625195583c5cff0f48e5bba9b216e1fa3f6 or so.
AGE-PLUGIN-PROTOCOL: My notes and links on the age
plugin protocol.
PIV-P256-PROTOCOL: My notes on the PIV-P256 ECHDE encryption format used for Yubikeys with age
.