Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/olastor/age-plugin-fido2-hmac

Age plugin to encrypt files with fido2 tokens using the hmac-secret extension and non-discoverable credentials.
https://github.com/olastor/age-plugin-fido2-hmac

age age-encryption age-plugin fido2 plugin

Last synced: about 1 month ago
JSON representation

Age plugin to encrypt files with fido2 tokens using the hmac-secret extension and non-discoverable credentials.

Lists

README 

        
# age-plugin-fido2-hmac



⚠️ Consider this plugin to be experimental until the version v1.0.0 is published! ⚠️



---



:key: Encrypt files with fido2 keys that support the "hmac-secret" extension.



:hash: Unlimited generation of recipients/identities because generated fido2 credentials are stateless.



:memo: See [the spec](https://github.com/olastor/age-plugin-fido2-hmac/blob/main/docs/spec-v2.md) for more details.



---



## Requirements



- [age](https://github.com/FiloSottile/age) (>= 1.1.0) or [rage](https://github.com/str4d/rage)

- [libfido2](https://developers.yubico.com/libfido2/)



**Ubuntu (>= 20.04)**



```bash

sudo apt install libfido2-1 libfido2-dev libfido2-doc fido2-tools

```



**Fedora (>= 34)**



```bash

sudo dnf install libfido2 libfido2-devel fido2-tools

```



**Mac OS**



```bash

brew install libfido2

```



## Installation



Download a the latest binary from the [release page](https://github.com/olastor/age-plugin-fido2-hmac/releases). Copy the binary to your `$PATH` (preferably in `$(which age)`) and make sure it's executable.



You can also use the following script for installation:



- Installs binary to `~/.local/bin/age-plugin-fido2-hmac` (change to your preferred directory)

- Make sure to adjust `OS` and `ARCH` if needed (`OS=darwin ARCH=arm64` for Apple Silicon, `OS=darwin ARCH=amd64` for older Macs)



```bash

cd "$(mktemp -d)"

VERSION=v0.2.3 OS=linux ARCH=amd64; curl -L "https://github.com/olastor/age-plugin-fido2-hmac/releases/download/$VERSION/age-plugin-fido2-hmac-$VERSION-$OS-$ARCH.tar.gz" -o age-plugin-fido2-hmac.tar.gz

tar -xzf age-plugin-fido2-hmac.tar.gz

mv age-plugin-fido2-hmac/age-plugin-fido2-hmac ~/.local/bin

```



Please note that Windows builds are currently not enabled, but if you need them please open a new issue and I'll try to look into it.



## Build from source



```bash

git clone https://github.com/olastor/age-plugin-fido2-hmac.git

cd age-plugin-fido2-hmac

make build

mv ./age-plugin-fido2-hmac ~/.local/bin/age-plugin-fido2-hmac

```



(requires Go 1.22)



## Usage



### Generate a new recpient/identity



Generate new credentials with the following command:



```

$ age-plugin-fido2-hmac -g

[*] Please insert your token now...

Please enter your PIN:

[*] Please touch your token...

[*] Do you want to require a PIN for decryption? [y/n]: y

[*] Please touch your token...

[*] Are you fine with having a separate identity (better privacy)? [y/n]: y

# created: 2024-04-21T16:54:23+02:00

# public key: age1zdy49ek6z60q9r34vf5mmzkx6u43pr9haqdh5lqdg7fh5tpwlfwqea356l

AGE-PLUGIN-FIDO2-HMAC-1QQPQZRFR7ZZ2WCV...

```



You can decide between storing your fido2 credential / salt inside the encrypted file header (benefit: no separate identity / downside: ciphertexts can be linked) or in a separate identity (benefit: native age recipient, unlinkabilty / downside: keep identity stored securely somewhere). To decrypt files without an identity, use the magic identity (`age-plugin-fido2-hmac -m`).



You are responsible for knowing which token matches your recipient / identity. There is no token identifier stored. If you have multiple tokens and forgot which one you used, there's no other way than trial/error to find out which one it was.



If you require a PIN for decryption, you (obviously) must not forget it. The PIN check is not just an UI guard, but the token changes the secret it uses internal!



### Encrypting/Decrypting



**Encryption:**



```bash

age -r age1... -o test.txt.enc test.txt

```



**Decryption:**



```bash

age-plugin-fido2-hmac -m > magic.txt

age -d -i magic.txt -o test-decrypted.txt test.txt.enc

```



or



```bash

age -d -i identity.txt -o test-decrypted.txt test.txt.enc

```



### Choosing a different algorithm



By default, one of the following algorithms is picked (in that order): ES256, EdDSA, RS256. If you want the credential to use a specific algorithm, use the `-a` parameter:



```bash

age-plugin-fido2-hmac -a eddsa -g

```



Note that



- your authenticator **may not support** all algorithms,

- the length of recipient/identity strings **can increase dramatically** by using a different algorithm.



The default (in most cases) is "es256", which should provide the smallest recipient/identity strings.



## Testing



### Unit Tests



In order to run unit tests, execute:



```bash

make test

```



### E2E Tests



End-to-end tests can currently no be run in the CI/CD pipeline because they require a virtual fido2 token to be mounted.



Use the following to setup a virtual test device with pin "1234" that always accepts any assertions:



```bash

go install github.com/rogpeppe/go-internal/cmd/testscript@latest # check PATH includes $HOME/go/bin/

sudo dnf install usbip clang clang-devel

git clone https://github.com/Nitrokey/nitrokey-3-firmware.git

cd nitrokey-3-firmware/runners/usbip

cargo build

cargo run

make attach # separate shell

fido2-token -S "$(fido2-token -L | head | cut -d':' -f1)" # set to 1234

```



Then run the tests using:



```bash

make test-e2e

```



To make the backwards compatibility tests work, the test device must use the file system in `e2e/test_device.bin` by running `cargo run -- --ifs ` instead of just `cargo run`.