Nice, I'd love this as an open source yubikey replacement.
But it doesn't do OpenPGP, I rely on that way too much sadly. Not just for SSH which supports fido2 now but also for file encryption and my password manager.
We hope and think that PIV can replace all the practical use cases for PGP. Specifically among those mentioned, `age` for file encryption, and either FIDO resident keys with hmac-secret for password managers, or something like `passage` (fork of `pass` using, again, `age` for encryption). For SSH you can use FIDO for newer OpenSSH, and either `pivy` or `yubikey-agent` via PIV. Cheers!
As a reluctant PGP user who has backed Solo Keys v2 for 4+ for personal use, and who has written Rust code in the pursuit of using PIV over OpenPGP, this answer is disappointing.
Age isn't there. It does NOT have good (read, right now, really, any) support for hardware tokens. I'm skeptical of what I've seen. And age still punts on authentication. And PIV still doesn't have decent keys at decent sizes standardized and thus is awkward to use in practice.
I'm really not convinced, and I really want to be. I wrote a bunch of forward-looking Rust, and then permanently backburner-ed it because age/yubikey just isn't there yet.
Using FIDO2 for SSH, when you're used to the portability and versatility of OpenPGP, stinks. I can use my Yubikey perfectly to do SSH and GPG in Windows. I can forward SSH agent and GPG from Windows to Linux such that it is identical in functionality to me sitting in front of my actual Linux box with my Yubikey plugged in. I have never seen that done with PIV.
I have this extreme fear that I'm going to wind up with four solokeysv2 that just sit in a drawer.
I can't see why one would bother. OpenPGP works and is a published standard that has been around forever. Age is just pointlessly different with fewer use cases. This has an example of where age is objectively worse:
People like to dislike PGP and replace it with a myriad of different solutions. But PGP is everywhere and awesome. It's very wide spread adoption is invaluable. I really don't want to see it replaced with zillions of different bespoke solutions.
Yep! It's magical having everything signed automatically by plugging in my Yubikey and setting some git config once. I will not go to something that doesn't enable this.
This. I’m a backer for their Kickstarter but the lack of PGP is unfortunate. Yes, there are problems with it. But as you said, it’s everywhere. It’s not going anywhere anytime soon, so what’s the harm in supporting it for now?
Because it has a shitton of issues. The implementations aren't great, cryptographic issues, memory safety issues, stable API/ABI issues. It's still not supported well by software that could use these features.
Understood and it probably can but I don't want to replace it :) I like OpenPGP (especially the newer revision which supports elliptic curve).
The GPG toolchain is pretty great for file encryption and I use it for my password manager too (which is indeed ZX2C4 Pass - passwordstore.org ). I don't want to use a fork using 'age' because I rely on the GPG version on my mobile (using the excellent OpenKeyChain app and the passwordstore app which talks to that).
Also, I log in to SSH servers I don't have the ability to install stuff on, like the ILO on my servers. And again on mobile, there's bridges to OpenKeyChain for SSH in e.g. Termux which work great including agent forwarding. But not for PIV. So it's not a complete replacement.
Sorry but without OpenPGP it's a non-starter for me. I understand I could use Solokey if I make a lot of changes in my personal setup and make some compromises especially on mobile. But why would I? I can just continue using Yubikey :) Don't forget you're in a heavily contested market, you should be better than the competition.
I'd like to have an open-source authentication key but in the end it's a tool to me. Open-source is a 'nice to have'. It's not worth it to me to deviate too much from my existing workflow.
But it doesn't do OpenPGP, I rely on that way too much sadly. Not just for SSH which supports fido2 now but also for file encryption and my password manager.
If they add that in the future I might jump ship.