yubage -- a
age-plugin-yubikey implementation in Go
go install eagain.net/go/yubage/cmd/age-plugin-yubikey
This is an age plugin for PIV cards/Yubikey. Your secret is kept safe on the tamperproof hardware, while letting you use the
WARNING: UNSTABLE Age plugins are still in flux. Consider the format unstable, you might need to re-encrypt all your data, and this software might accidentally delete your data, or eat your cat.
At this time, this software doesn't help you generate the crypto keys. However, this should work:
yubico-piv-tool --slot=82 --algorithm=ECCP256 --touch-policy=always --pin-policy=once -a generate -o MY_YUBIKEY_FILENAME.pub yubico-piv-tool --slot=82 -a verify-pin -a selfsign-certificate --subject='/CN=MY YUBIKEY NAME HERE/O=age-plugin-yubikey/' --valid-days=3650 -i MY_YUBIKEY_FILENAME.pub -o MY_YUBIKEY_FILENAME.cert # enter pin, touch when lights blink yubico-piv-tool --slot=82 -a import-certificate -i MY_YUBIKEY_FILENAME.cert
MY YUBIKEY NAME HERE as you wish.
If you use a "management key" with your Yubikey, add the
-k flag to first and last command (actions
Keys are stored in the "retired slots", available starting with Yubikey series 5. Funny name, but it's 20 slots that can be used without stepping on anyone's toes.
TODO we don't at this point have code to make
age recipient and identity strings from the above. You can use https://github.com/str4d/age-plugin-yubikey branch twitch, for now.
filippo.io/age, the Go reference implementation, does not support plugins as of 2021-02-01.
rage, a Rust implementation, supports plugins in a post-v0.5.0 commit 9f824625195583c5cff0f48e5bba9b216e1fa3f6 or so.
age plugins & Yubikey
AGE-PLUGIN-PROTOCOL: My notes and links on the
age plugin protocol.
PIV-P256-PROTOCOL: My notes on the PIV-P256 ECHDE encryption format used for Yubikeys with