Comments (8)
Hey, sorry for the late reply.
It's not possible to manage GPG keys in the Vault at the moment. It's definitely an interesting idea though.
What kind of features / mechanisms did you have in mind?
It would be nice if you would work on this in a PR, but I can't give you any promises that it will be merged to the main repo at this time. This seems like a bigger change and we would have to think about all the implications (also related to usability because we want to keep the app as simple as possible so it can also be used by non-technical people).
As a first step you could come up with a list of features that you would like to have, then we can see how that fits into the current design of the Vault.
from airgap-vault.
@RoGryza I've been thinking more and more about this over the last few weeks. Do you have some time and would be interested in working on this?
from airgap-vault.
@AndreasGassmann sorry for the delay. I'm no longer working on the project I'd use this for, but I'll contact the team and see if they're still interested
from airgap-vault.
I see that this has been mentioned, so I'm adding my own take to it: use OpenKeychain as the source of secret generation. That way no mnemonics, private keys, json files, or anything ever have to be exported anywhere, just connect directly to OpenKeychain. For an even better security scenario, you could generate the OpenPGP key on a hw (eg NitroKey), and then generate the vault secret from OpenKeychain.
This option would only work on Android though, afaik.
from airgap-vault.
I am not familiar with OpenKeychain, Nitrokey or Fidesmo. It looks like both the Fidesmo token and NitroKey are a device that hold your keys (like a Yubikey), while OpenKeychain is an application on Android that does the same thing.
If I understood correctly, you are suggesting that we delegate the key management/generation to one of those devices instead of in AirGap Vault itself. Is that correct?
Assuming it is, I'm not sure this is aligned with the goals of AirGap Vault. AirGap Vault should basically be a replacement for HW devices that hold your keys. So instead of having a Ledger/Trezor that holds your keys, it should be AirGap Vault instead. This brings a couple of benefits like full air-gapping, better UX, etc.
What you are suggesting, if I understood correctly, is to basically only use the AirGap Vault as a "bridge" between the online world and those devices. So it would be Online Device <= QR => AirGap Vault <==> Fidesmo/Nitrokey/OpenKeychain
where Fidesmo/Nitrokey/OpenKeychain would be holding the key.
Besides the fact that this kind of goes against our goals, I'm not sure if it's possible. Usually, HW devices that manage your keys are designed to not let you extract your keys, as a security measure. I did some quick search if this is possible on Nitrokey, and their page here https://docs.nitrokey.com/pro/openpgp-keygen-backup.html suggests that it is not:
The following instructions explain the generation of OpenPGP keys and how to copy them to the Nitrokey. This method has the advantage of providing a backup of the keys in case of losing or breaking the Nitrokey.
So this means it would actually not be possible to use the secret on those devices to generate a mnemonic out of it, unless the devices themselves support it (eg. Ledger, Trezor, etc.). It would probably be possible with OpenKeychain if their API allows it, but my question would be what the advantages of that would be.
Having your key on multiple devices always increases the possible attack vectors. So our vision is that AirGap Vault will be the one application that holds all your secrets and does all the operations locally, without the key ever leaving the device. That's also why we added additional security measures that protect users against compromised RNGs by collecting entropy over camera, microphone and touch input, or even let you provide your own entropy that you collected via dice rolls and coin flips.
So in a way, AirGap Vault is a "replacement" for all the apps/devices that you mentioned.
Maybe I misunderstood your question, if that's the case, please let me know.
from airgap-vault.
I am just as in the dark regarding this idea, but mynitial thought was that OpenPGP is a cryptography tool with a public key, and a private key. Now obviously you don't want anything to be derived from your public key, because duh, but the private key? That is a different piece of tea. If an SHA512 hash, that is not subject to change upon each request, can be requested from the private key via the API, and passed through to AirGap, it could serve as the crypto wallet private key.
Again, I have no idea how this could work, but they have the components, the API, the documentation for gereal GPG functions. I will try to reach out to them.
from airgap-vault.
If they allow you to get a deterministic hash from the private key, then that could be used as the source of entropy for your mnemonic. But the question still remains, why would you want to do that? If you lose your HW device, that private key is gone, and it cannot be backed up (unless you provide your own key, as described in the link above). So you'll still be in the situation where you have to back up your mnemonic in case you lose your HW device.
Instead, I think the more interesting approach is to use your mnemonic as the source of entropy and generate all your other keys out of it. BIP85 is designed to do that, or at least something very similar. You can derive child mnemonics from a master mnemonic, but you can also derive entropy to be used elsewhere. My vision was to use BIP85 to generate a GPG key, but sadly, it looks like OpenPGP and WebCrypto don't support that: openpgpjs/openpgpjs#1309 If they did, that would be the ideal solution in my opinion. It would allow you to back up 1 master mnemonic with Shamir or whatever you would like, which then will allow you to re-generate all your keys. But sadly, it doesn't seem to be possible, at least not with those tools.
I'm still not 100% sure what your use case or your goal is. Do you simply want to have to back up only one key that can recover everything? It looks like that would already be possible by generating your own PGP key, then importing it into your Nitrokey ( https://docs.nitrokey.com/pro/openpgp-keygen-backup.html ) and then generate a mnemonic out of that PGP key by using some custom script.
from airgap-vault.
The activity on this issue has been inactive for the past two years. I'll be closing it now. If there's a need to revisit this matter, please don't hesitate to reopen the issue. Thank you.
from airgap-vault.
Related Issues (20)
- Scan this (address) QR code with Metamask does not work HOT 3
- add support for keplr wallet HOT 1
- APK not installing HOT 5
- Support URL Schema Redirect for Companion App HOT 1
- Build reproduction steps
- Request to add support for Avalanche P-chain (for staking). HOT 1
- Use `--output-hashing none` to prevent random names for built main.js HOT 3
- Unable to enable the BIP39 Passphrase on the Android Vault version? HOT 1
- Issue Signing on Optimism HOT 29
- Can you create a Wagmi connector to support the AirGap Vault wallet? HOT 1
- 可以支持中文助记词吗 HOT 1
- Will airgap-vault support stx (stx-i-stack) chain? HOT 1
- publickey check failed. HOT 2
- When the Vault will support OKX Web3 wallet?
- Electrum PSBT QR incompatible code HOT 1
- airgap-vault crashes when generating new seed on a phone with no audio. HOT 1
- Airgap-vault AppImage.
- keystone QR format compatibility HOT 1
- How to add new chain wallet on the vault? HOT 1
- Tag v3.32.1 please HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from airgap-vault.