trezor-agent
ssh-agent-pkcs11
trezor-agent | ssh-agent-pkcs11 | |
---|---|---|
9 | 1 | |
559 | 5 | |
- | - | |
4.9 | 10.0 | |
9 days ago | almost 5 years ago | |
Python | C | |
GNU Lesser General Public License v3.0 only | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
trezor-agent
-
Mnemonikey | Determinstic PGP key recovery using phrases | v0.0.1 prerelease published
It doesn't support signing and authentication subkeys (But maybe it will soon!).
-
agenix and ssh keys
GPG "master keys" are on the Trezor, which has no mass storage. You can read more how to use if for GPG in here: https://github.com/romanz/trezor-agent/blob/master/doc/README-GPG.md. Trezor needs a PIN + passphrase typed on the device to be secure from physical attacks (Google: trezor hacked).
-
Best way of encrypting files / folders using the Trezor
I use romanz/trezor-agent and it is recommended on the official trezor wiki.
-
Anyone here use the Trezor hardware wallet for GPG?
it looks like someone on the github for the Trezor GPG has worked on it but I have no clue how to run this script. Here's the first link I found under the issues tab.
- Creating or associating multiple subkeys with a Trezor signed GPG key.
-
TIL: Trezor-T works under WSL-2 (Linux on Windows) using usbipd-win
I'd been working with the trezor-gpg and trezor-ssh features recently, but found them difficult to configure in Windows. When I saw the WSL-2 article on usbipd, found everything worked great.
-
It's Now Possible to Sign Arbitrary Data with Your SSH Keys
Ledger/Trezor have solved this since ~2016. I have a Ledger that has a private key inside and using a small open source tool (https://github.com/romanz/trezor-agent) I can SSH into machines, sign random data and Github commits and FIDO authenticate into several websites. All of that and knowing that these devices offer some of the best security out there.
-
So... which one do I want? [3 different OpenPGP applications?]
SSH/PGP agent is a proxy application intended to work with https://github.com/romanz/trezor-agent
ssh-agent-pkcs11
-
It's Now Possible to Sign Arbitrary Data with Your SSH Keys
It hasn't been able to do it in a meaningful way.
I've been patching support for this into ssh-agent for about a decade. I wrote a PKCS#11 module which talks to the SSH agent socket to forward your smartcard [0]. Doing so requires three changes to the protocol:
1. The ability to sign arbitrary data and get back the signed result [1]; normally you get back a hashed result [2].
2. The ability to decrypt data, this is what you said. This is less important since many things only require signatures (and not all algorithms support encryption/decryption).
3. The ability to request your certificates [3] [4] this one is kinda obvious.
The benefits of this are that you can use your smartcard on the remote host to do fully authenticated password-less sudo with pam_pkcs11. You can also do anything else that requires you to use your private key to be used, which can include fetching files (TLS client certificate authentication).
Within the US Government, passwords have been being phased out since 2004, but the requirements for authenticated privilege elevation remain.
Another way to accomplish this is to use SSH forwarding of your PC/SC socket but that's less portable and more fragile (and even less secure).
[0] https://github.com/rkeene/ssh-agent-pkcs11
[1] https://cackey.rkeene.org/fossil/artifact/0d0e90bbfdee672c?l...
[2] https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent...
[3] https://cackey.rkeene.org/fossil/artifact/0d0e90bbfdee672c?l...
[4] https://datatracker.ietf.org/doc/html/rfc6187#section-2.1
What are some alternatives?
PIVX-SPMT - Secure PIVX Masternode Tool - Setup & Manage your masternodes while storing collateral on a Ledger device!
age - A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
rekor - Software Supply Chain Transparency Log
whoami.filippo.io - A ssh server that knows who you are. $ ssh whoami.filippo.io
PET4L - PIVX Emergency Tool for Ledger - Spend PIV from a seemingly "Stuck" Ledger wallet
rage - A simple, secure and modern file encryption tool (and Rust library) with small explicit keys, no config options, and UNIX-style composability.
Colima.bundle - Combined Library Metadata Agent (Colima)
git-crypt - Transparent file encryption in git
strledger - Sign Stellar Transaction with Ledger on the command line.
sops - Simple and flexible tool for managing secrets
stakesign - Sign files via blockchain + put your money where your mouth is