GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → str4d → age-plugin-yubikey

str4d / age-plugin-yubikey

Licence: Apache-2.0, MIT licenses found Licenses found Apache-2.0 LICENSE-APACHE MIT LICENSE-MIT
YubiKey plugin for age

Programming Languages

rust
11053 projects
Fluent
28 projects

Labels

plugincliencryptionyubikeyage-encryption

Projects that are alternatives of or similar to age-plugin-yubikey

Multiotp
multiOTP open source strong two factor authentication PHP library, OATH certified, with TOTP, HOTP, Mobile-OTP, YubiKey, SMS, QRcode provisioning, etc.
Stars: ✭ 173 (+26.28%)
Mutual labels:  yubikey
mitome.in
Explore OpenPGP and other cryptography as an alternative for seals (mitome-in)
Stars: ✭ 30 (-78.1%)
Mutual labels:  yubikey
yubitell
Silently extract a YubiKey serial number
Stars: ✭ 15 (-89.05%)
Mutual labels:  yubikey
Nginx Sso
SSO authentication provider for the auth_request nginx module
Stars: ✭ 195 (+42.34%)
Mutual labels:  yubikey
Lam
LDAP Account Manager
Stars: ✭ 223 (+62.77%)
Mutual labels:  yubikey
yubikey
PHP library to interface with the Yubikey REST API
Stars: ✭ 68 (-50.36%)
Mutual labels:  yubikey
Piv Go
Keys and certificates for YubiKeys, written in Go
Stars: ✭ 172 (+25.55%)
Mutual labels:  yubikey
multiOTPCredentialProvider
multiOTP Credential Provider is a V2 Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016 with options like RDP only and UPN name support
Stars: ✭ 121 (-11.68%)
Mutual labels:  yubikey
Libfido2
Provides library functionality for FIDO 2.0, including communication with a device over USB.
Stars: ✭ 244 (+78.1%)
Mutual labels:  yubikey
win-gpg-agent
[DEPRECATED] Windows helpers for GnuPG tools suite
Stars: ✭ 214 (+56.2%)
Mutual labels:  yubikey
Go Ykpiv
Golang interface to manage Yubikeys, including a crypto.Signer & crypto.Decrypter interface
Stars: ✭ 196 (+43.07%)
Mutual labels:  yubikey
Python Fido2
Provides library functionality for FIDO 2.0, including communication with a device over USB.
Stars: ✭ 222 (+62.04%)
Mutual labels:  yubikey
tauri-plugin-authenticator
An official Tauri plugin for using a yubikey in your Tauri App
Stars: ✭ 42 (-69.34%)
Mutual labels:  yubikey
Yubioath Android
Yubico Authenticator for Android
Stars: ✭ 176 (+28.47%)
Mutual labels:  yubikey
YubiGuard
Python script to prevent accidental triggering of YubiKeys on Linux.
Stars: ✭ 23 (-83.21%)
Mutual labels:  yubikey
Yubico Piv Tool
Command line tool for the YubiKey PIV application
Stars: ✭ 172 (+25.55%)
Mutual labels:  yubikey
ucsf-vpn
Linux command-line client to manage a UCSF VPN connection
Stars: ✭ 30 (-78.1%)
Mutual labels:  yubikey
openconnect-gui-menu-bar
OpenConnect Menu Bar - Connect/Disconnect/Status - for Mac OS X (supports Duo push/sms/phone, or Yubikey, Google Authenticator, Duo, or any TOTP)
Stars: ✭ 56 (-59.12%)
Mutual labels:  yubikey
arduino-yksim
Simulate Yubikey with Arduino Leonardo
Stars: ✭ 61 (-55.47%)
Mutual labels:  yubikey
clarion
WebAuthn (U2F) helper for CLI operations (e.g. SSH Log in)
Stars: ✭ 78 (-43.07%)
Mutual labels:  yubikey
View All Similar Projects ➔

YubiKey plugin for age clients

age-plugin-yubikey is a plugin for age clients like age and rage, which enables files to be encrypted to age identities stored on YubiKeys.

Installation

On Windows, Linux, and macOS, you can use the pre-built binaries.

If your system has Rust 1.56+ installed (either via rustup or a system package), you can build directly from source:

cargo install age-plugin-yubikey

Help from new packagers is very welcome.

Windows Subsystem for Linux (WSL)

WSL does not currently provide native support for USB devices. However, Windows binaries installed on the host can be run from inside a WSL environment. This means that you can encrypt or decrypt files inside a WSL environment with a YubiKey:

  1. Install age-plugin-yubikey on the Windows host.
  2. Install an age client inside the WSL environment.
  3. Ensure that age-plugin-yubikey.exe is available in the WSL environment's PATH. For default WSL setups, the Windows host's PATH is automatically added to the WSL environment's PATH (see this Microsoft blog post for more details).

Configuration

There are two ways to configure a YubiKey as an age identity. You can run the plugin binary directly to use a simple text interface, which will create an age identity file:

$ age-plugin-yubikey

Or you can use command-line flags to programmatically generate an identity and print it to standard output:

$ age-plugin-yubikey --generate \
    [--serial SERIAL] \
    [--slot SLOT] \
    [--name NAME] \
    [--pin-policy PIN-POLICY] \
    [--touch-policy TOUCH-POLICY]

Once an identity has been created, you can regenerate it later:

$ age-plugin-yubikey --identity [--serial SERIAL] --slot SLOT

Usage

The age recipients contained in all connected YubiKeys can be printed on standard output:

$ age-plugin-yubikey --list

To encrypt files to these YubiKey recipients, ensure that age-plugin-yubikey is accessible in your PATH, and then use the recipients with an age client as normal (e.g. rage -r age1yubikey1...).

The output of the --list command can also be used directly to encrypt files to all recipients (e.g. age -R filename.txt).

To decrypt files encrypted to a YubiKey identity, pass the identity file to the age client as normal (e.g. rage -d -i yubikey-identity.txt).

Advanced topics

Agent support

age-plugin-yubikey does not provide or interact with an agent for decryption. As age plugin binaries have short lifetimes (they only run while the age client is running), this means that YubiKey identities configured with a PIN policy of once will actually prompt for the PIN on every decryption.

A decryption agent will most likely be implemented as a separate age plugin that interacts with yubikey-agent, enabling YubiKeys to be used simultaneously with age and SSH.

Manual setup and technical details

age-plugin-yubikey only officially supports the following YubiKey variants, set up either via the text interface or the --generate flag:

  • YubiKey 4 series
  • YubiKey 5 series

NOTE: Nano and USB-C variants of the above are also supported. The pre-YK4 YubiKey NEO series is NOT supported. The blue "Security Key by Yubico" will also not work (as it doesn't support PIV).

In practice, any PIV token with an ECDSA P-256 key and certificate in one of the 20 "retired" slots should work. You can list all age-compatible keys with:

$ age-plugin-yubikey --list-all

age-plugin-yubikey implements several automatic security management features:

  • If it detects that the default PIN is being used, it will prompt the user to change the PIN. The PUK is then set to the same value as the PIN.
  • If it detects that the default management key is being used, it generates a random management key and stores it in PIN-protected metadata. age-plugin-yubikey does not support custom management keys.

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].