Feature Request: Support Hardware SSH Keys (FIDO) [Key type [email protected]]

[cwross]

I was excited when I learned that age permits the use of SSH keys. I keep my SSH keys on Yubikey 5 hardware devices. Unfortunately, it looks like this key type is not supported in age, which is too bad - being able to use my hardware keys would be such an awesome use case for managing encrypted backups. I am not technically savvy enough to know if supporting the sk-ssh-ed25519 key type would be possible, but I think it would be super useful to those of us with hardware keys if it can be done! Thanks!

user@machine ~ [1]> age -R id_yubikey.pub test.txt > test.txt.age
age: warning: recipients file "id_yubikey.pub": ignoring unsupported SSH key of type "[email protected]" at line 1
age: error: failed to parse recipient file "id_yubikey.pub": "id_yubikey.pub": no recipients found
age: report unexpected or unhelpful errors at https://filippo.io/age/report

[str4d]

This SSH key type uses the FIDO2 protocol to communicate with the hardware token. To my knowledge, the FIDO2 protocol only exposes an authentication API; it does not expose the core primitive scalar multiplication operation that is required to implement the recipient encryption that age requires. So it is likely not possible to ever support these kinds of hardware keys.

You can encrypt to an identity stored on a YubiKey, by using the age-plugin-yubikey plugin. That stores native age identities in the PIV applet, rather than using the U2F or GPG applets.

[yakimant]

git commits signing works with:

[commit]
  gpgsign = true
[gpg]
   format = ssh

So auth and sign is supported, only encryption is missing?

Also replied in str4d/rage#272

[yakimant]

Also check this repo, there is some hope:
https://github.com/olastor/age-plugin-fido2-hmac

[yakimant]

Maybe this will help one day:
https://github.com/olastor/age-plugin-fido2-hmac