Protect private age key with FIDO2 token #261
Replies: 1 comment 2 replies
-
|
Yes! We have a 3rd party plugin in development for FIDO2 keys. It's kinda tricky because FIDO2 natively is about signatures, not encryption, but we got it to work. I'll update this discussion when it's ready! |
Beta Was this translation helpful? Give feedback.
-
|
Did you mean https://github.com/riastradh/age-plugin-fido? I was going to try it out but decided to use https://github.com/str4d/age-plugin-yubikey before the FIDO plugin stablize. |
Beta Was this translation helpful? Give feedback.
-
|
Any update on this? Especially now with the plugin client API released as part of v1.2.0, I'd expect plugins to become more widely used, so it'd be great to have support for this. |
Beta Was this translation helpful? Give feedback.
-
As of v8.2 OpenSSH supports FIDO2 as a second factor to protect the private key. This makes resident keys on a token (yubikey etc.) avoidable. So you can locate the private key on the file system of your computer (as probably most people do anyway). In my opinion it even obsoletes passphrases for the private key, because it is imply not useable without the FIDO2 token.
I wonder if age keys could be protected the same way.
Beta Was this translation helpful? Give feedback.
All reactions