Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for AES management keys #92

Open
str4d opened this issue Dec 30, 2022 · 3 comments
Open

Add support for AES management keys #92

str4d opened this issue Dec 30, 2022 · 3 comments
Labels
enhancement New feature or request H-yubikey-5.7 Relevant to YubiKeys with firmware 5.7 S-blocked-on-upstream Status: Requires changes to an upstream dependency.

Comments

@str4d
Copy link
Owner

str4d commented Dec 30, 2022

Once iqlusioninc/yubikey.rs#330 is resolved, we should start using PIN-protected AES management keys for YubiKeys that support them. We should also migrate YubiKeys that we previously configured to use a PIN-protected TDES management key, if AES is supported.
@str4d str4d added the enhancement New feature or request label Dec 30, 2022
@str4d
Copy link
Owner Author

str4d commented Jan 1, 2023

We want to ensure that a YubiKey set up by age-plugin-yubikey is usable with yubikey-agent, so we use the same management setup (PIN-protected management key, PUK set to PIN) as yubikey-agent. We therefore need to synchronise on AES management key usage, which means we also need to block on go-piv/piv-go#109.

@str4d str4d mentioned this issue Apr 8, 2023
Closed
@str4d str4d added the S-blocked-on-upstream Status: Requires changes to an upstream dependency. label Aug 4, 2024
@PriceHiller
Copy link

PriceHiller commented Oct 9, 2024
edited
Loading

It appears go-piv/piv-go#109 has now been resolved and should hopefully no longer be blocking.

What all needs to be done for AES support?

EDIT: appears to still be blocked on iqlusioninc/yubikey.rs#330 ?

@str4d
Copy link
Owner Author

str4d commented Nov 1, 2024

I now have a new YubiKey with firmware 5.7.1, and it appears to come with AES as the default management key algorithm. The error message I previously added does trigger correctly (telling the user to switch to TDES).

@PriceHiller yes this is blocked on support in the yubikey crate.

@str4d str4d added the H-yubikey-5.7 Relevant to YubiKeys with firmware 5.7 label Nov 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request H-yubikey-5.7 Relevant to YubiKeys with firmware 5.7 S-blocked-on-upstream Status: Requires changes to an upstream dependency.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@str4d @PriceHiller