Allow using a yubikey (or similar) for the password #77
Comments
|
It sounds good, however right now the provided password is used to decrypt the content of the credentials file which uses age. I don't think the password prompt can be replaced with a yubikey interaction without changing the whole encryption/decryption system. As I know (and I'm not well versed in this area) U2F protocol (and yubikey in general) does not allow secrets to leave or leak the device (that's why I'm using it for auth), it can hash/sign/verify given input proving it's THE device that. If I want to encrypt/decrypt content, I would have to pass the whole credentials files to the yubikey device and use the response. That would require to 1) support encryption with for example gpg keys 2) change the whole storage layer. And still that's just an assumption based on my user experience with the device, never read deeper how it really works and I never had to implement yubikey 2fa as I'm not working on websites/web-services that would utilise that. Please correct anything I'm assuming wrong. |
|
Instead of passing the whole file, they idea would be to use it to decrypt
a locally stored key file that is then used by your application to decrypt
the full file. There is already some age support for yubikeys:
https://github.com/str4d/age-plugin-yubikey
… |
Meanwhile I realized we have a "header" that's encrypted with the password and the credentials store is encrypted with that key stored in the header. I wouldn't implement something that requires a user to do a lot of extra steps, I would rather just implement GPG decryption of the header content. I'll leave the issue here, I don't think I'll have time to do it in the near future, but someone can pick it up and give it a go. One main focus of this project is to keep it as simple as possible. |
It would be great to have the option to use a yubikey instead of manually inputting a password.
The text was updated successfully, but these errors were encountered: