Crates.io | age-plugin-yubikey |
lib.rs | age-plugin-yubikey |
version | 0.5.0 |
source | src |
created_at | 2020-08-30 16:53:26.222569 |
updated_at | 2024-08-04 03:43:53.065896 |
description | YubiKey plugin for age clients |
homepage | |
repository | https://github.com/str4d/age-plugin-yubikey |
max_upload_size | |
id | 282758 |
size | 218,713 |
age-plugin-yubikey
is a plugin for age clients
like age
and rage
,
which enables files to be encrypted to age identities stored on YubiKeys.
Environment | CLI command |
---|---|
Cargo (Rust 1.67+) | cargo install age-plugin-yubikey |
Homebrew (macOS or Linux) | brew install age-plugin-yubikey |
Arch Linux | pacman -S age-plugin-yubikey |
Debian | Debian package |
NixOS | Add to config:environment.systemPackages = [ pkgs.age-plugin-yubikey ]; Or run nix-env -i age-plugin-yubikey |
Ubuntu 20.04+ | Debian package |
OpenBSD | pkg_add age-plugin-yubikey (security/age-plugin-yubikey) |
On Windows, Linux, and macOS, you can use the pre-built binaries.
Help from new packagers is very welcome.
On non-Windows, non-macOS systems, you need to ensure that the pcscd
service
is installed and running.
Environment | CLI command |
---|---|
Debian or Ubuntu | sudo apt-get install pcscd |
Fedora | sudo dnf install pcsc-lite |
OpenBSD | As root do:pkg_add pcsc-lite ccid rcctl enable pcscd rcctl start pcscd |
FreeBSD | As root do:pkg install pcsc-lite libccid service pcscd enable service pcscd start |
Arch | sudo pacman -S pcsclite pcsc-tools yubikey-manager sudo systemctl enable pcscd sudo systemctl start pcscd |
When installing via Cargo, you also need to ensure that the development headers
for the pcsc-lite
library are available, so that the pcsc-sys
crate can be
compiled.
Environment | CLI command |
---|---|
Debian or Ubuntu | sudo apt-get install libpcsclite-dev |
Fedora | sudo dnf install pcsc-lite-devel |
WSL does not currently provide native support for USB devices. However, Windows binaries installed on the host can be run from inside a WSL environment. This means that you can encrypt or decrypt files inside a WSL environment with a YubiKey:
age-plugin-yubikey
on the Windows host.age-plugin-yubikey.exe
is available in the WSL environment's
PATH
. For default WSL setups, the Windows host's PATH
is automatically
added to the WSL environment's PATH
(see
this Microsoft blog post
for more details).age-plugin-yubikey
identities have two parts:
There are two ways to configure a YubiKey as an age identity. You can run the plugin binary directly to use a simple text interface, which will create an age identity file:
$ age-plugin-yubikey
Or you can use command-line flags to programmatically generate an identity and print it to standard output:
$ age-plugin-yubikey --generate \
[--serial SERIAL] \
[--slot SLOT] \
[--name NAME] \
[--pin-policy PIN-POLICY] \
[--touch-policy TOUCH-POLICY]
Once an identity has been created, you can regenerate it later:
$ age-plugin-yubikey --identity [--serial SERIAL] --slot SLOT
To use the identity with an age client, it needs to be stored in a file. When using the above programmatic flags, you can do this by redirecting standard output to a file. On a Unix system like macOS or Ubuntu:
$ age-plugin-yubikey --identity --slot SLOT > yubikey-identity.txt
The age recipients contained in all connected YubiKeys can be printed on standard output:
$ age-plugin-yubikey --list
To encrypt files to these YubiKey recipients, ensure that age-plugin-yubikey
is accessible in your PATH
, and then use the recipients with an age client as
normal (e.g. rage -r age1yubikey1...
).
The output of the --list
command can also be used directly to encrypt files to
all recipients (e.g. age -R filename.txt
).
To decrypt files encrypted to a YubiKey identity, pass the identity file to the
age client as normal (e.g. rage -d -i yubikey-identity.txt
).
age-plugin-yubikey
does not provide or interact with an agent for decryption.
It does however attempt to preserve the PIN cache by not soft-resetting the
YubiKey after a decryption or read-only operation, which enables YubiKey
identities configured with a PIN policy of once
to not prompt for the PIN on
every decryption. This does not work for YubiKey 4 series.
The session that corresponds to the once
policy can be ended in several ways,
not all of which are necessarily intuitive:
age-plugin-yubikey --generate
or the CLI
interface. This is to avoid leaving the YubiKey authenticated with the
management key.If the current PIN UX proves to be insufficient, a decryption agent will most
likely be implemented as a separate age plugin that interacts with
yubikey-agent
, enabling
YubiKeys to be used simultaneously with age and SSH.
age-plugin-yubikey
only officially supports the following YubiKey variants,
set up either via the text interface or the --generate
flag:
NOTE: Nano and USB-C variants of the above are also supported. The pre-YK4 YubiKey NEO series is NOT supported. The blue "Security Key by Yubico" will also not work (as it doesn't support PIV).
In practice, any PIV token with an ECDSA P-256 key and certificate in one of the 20 "retired" slots should work. You can list all age-compatible keys with:
$ age-plugin-yubikey --list-all
age-plugin-yubikey
implements several automatic security management features:
age-plugin-yubikey
does not support custom management keys.Licensed under either of
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.