Comments (3)
Most likely this isn't possible due to the way the yubikey works generally. For rekeying you would require that the hardware key support an entirely new type of operation that does the full decrypt and reencrypt on the yubikey (operating on a transient pubkey that is transferred to the key). Broadly speaking, I don't think any hardware key will ever support such an operation, because it is not something that an average user would need at all.
But I have some thoughts regarding your threat model: Ususally you only need to rekey secrets one time, which is after creating the secret. So by definition you will have to make the secret material available on your machine in the beginning to encrypt it in the first place. I don't think the rekeying operation following this isn't going to make a big difference then. If an attacker had compromised your system at that time, they could already steal the secret when you first create it. Or am I missing something?
If you are really paranoid about it, you could always create, edit and rekey your secrets on an air-gapped machine.
from agenix-rekey.
Thank you for the explanation, this makes total sense. I'm not (yet!) deeply familiar with the cryptographic operations already supported by the yubikey, so this is quite helpful.
Broadly speaking, I don't think any hardware key will ever support such an operation, because it is not something that an average user would need at all.
I agree in general, though I think the use case of performing key rotation of encrypted material inside a trusted enclave is one that has somewhat wide applicability.
Ususally you only need to rekey secrets one time, which is after creating the secret. So by definition you will have to make the secret material available on your machine in the beginning to encrypt it in the first place. I don't think the rekeying operation following this isn't going to make a big difference then. If an attacker had compromised your system at that time, they could already steal the secret when you first create it. Or am I missing something?
Suppose that secrets are to be deployed to machines which may from time to time be destroyed or created. Each time a new machine is created in place of its predecessor, a re-keying is required, because it will have a new identity keypair, freshly generated at instantiation. The creation and first encryption of the secret material ought to happen in all cases on an air-gapped machine, but if inside-the-yubikey rekeying were possible, the airgap would not necessarily be required to rekey a secret to deploy it to a new machine, as it would remain encrypted at all times from the perspective of the possibly-compromised developer workstation. With full hardware rekeying, if the workstation is compromised, then the adversary further needs to use that compromise not only to get access to the remote machine which will decrypt the secret (hardware SSH keys can help mitigate this), but also to exploit that machine in some way to exfiltrate the decrypted secret material. The thought is that if hardware rekeying were possible, it would raise the bar identically to the state of affairs where rekeying is done in an airgap, but with much better usability. Alas!
Feel free to close this issue out; maybe someday someone will make a device that supports this. (It occurs to me that it should be possible to do something like this with a Ledger hardware wallet...)
from agenix-rekey.
The thought is that if hardware rekeying were possible, it would raise the bar identically to the state of affairs where rekeying is done in an airgap, but with much better usability.
Definitely!
Feel free to close this issue out; maybe someday someone will make a device that supports this.
I mean it's really just a firmware thing, so you could try to ask this in a related firmware repository for your favorite hardware key :)
from agenix-rekey.
Related Issues (18)
- [Question] How do I use this to encrypt/decrypt agenix secrets with a Yubikey age key? HOT 7
- SSH keypair or public file generation support HOT 10
- Agenix wrapper errors out for flakes that exist as a subdirectory in a git repository HOT 2
- /run/agenix/...: No such file or directory HOT 2
- Feature request: add option to use `age` instead of `rage` HOT 6
- Error while handling error of rekeyed file missing HOT 6
- agenix rekey --help fails if all hosts are not configured HOT 3
- Docs: What goes wrong if you use a different package set in a generator? HOT 1
- Errors: Perhaps it would be worth adding help text for when users repeatedly encounter the prompt to rekey? HOT 2
- Question: Best way to refer to sibling secrets (not generators)? HOT 3
- The option `age.secrets.generators.wireguard-priv' does not exist HOT 1
- wg: Trailing characters found after key HOT 1
- CI: No rekeyed secrets were found, please run `nix run .#rekey` again. HOT 6
- cross-systems usage with colmena & --build-on-host HOT 4
- The "unencrypted identity" warning is triggered when it shouldn't be HOT 1
- [Documentation] Specify that flake and user's app must follow the same nixpkgs HOT 1
- Default cacheDir causing some minor problems when rekeying HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from agenix-rekey.