Title: Tillitis TKey with passage password store Date: 2023-06-27 Category: Posts Tags: Tutorial, Security, Hardware The [Tillitis TKey](https://www.tillitis.se/tkey/) is a recently released open hardware security key that you load with custom applications. One useful application is encrypting passwords for the [pass](https://www.passwordstore.org/) utility. Even more details about the TKey in this ~20 minute [video](https://www.youtube.com/watch?v=X7IllDLFKRk) Most of the existing libraries and utilities for the tkey are made with golang. Unfortunately, the official golang [package](https://pkg.go.dev/golang.org/x/crypto/openpgp) for OpenPGP is deprecated, and I haven't found any implementations of a [gpg-agent](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html) or [scdaemon](https://www.gnupg.org/documentation/manuals/gnupg/Invoking-SCDAEMON.html) in golang. Fortunately, one of the Tillitis developers has started work on a [plugin](https://github.com/quite/age-plugin-tkey) for the [age](https://github.com/FiloSottile/age) encryption tool which we can use with a fork of the pass utility called [passage](https://github.com/FiloSottile/passage). Building the Plugin: -------------------- To start, install the `age` package for your distribuition. It is available in Arch, Debian, and Fedora. Next we can build the tkey device application from the age-plugin-tkey repo. It's worth repeating the warning from the plugin README: > Note that this is work in progress. The implementation may change, and this will cause a change of identity of a TKey running this device app. This would mean that the public/private key no longer is the same, and decryption of data encrypted for the previous key pair will not be possible. In other words, make sure you have a working backup of your data. Ideally in an offline storage. We can also use the 'multiple recipients' feature of 'age' to encrypt with the public key from the tkey, and another backup key in case of damage or loss. We'll follow the recommended steps of building the plugin with podman to ensure the checksums don't change. (Note: For Arch, I needed to add a subuid, and subgid range for my user [Arch Wiki Link](https://wiki.archlinux.org/title/Podman)). :::sh $ git clone https://github.com/quite/age-plugin-tkey $ cd age-plugin-tkey/contrib $ make Now we should have a binary we can use to generate a new identity file for `age`. (Note that the --touch option when generating a key will require pressing the tkey for each decrypt action) :::sh $ cd .. $ ./age-plugin-tkey -g --touch > test_keys # recipient: age1aaf428jance6wsw28qad8878xh48jh57wy3pxxa0ettntuzhlussr8qps5 Finally, we need to add the plugin to our $PATH: (assuming ~/bin is in your $PATH) :::sh $ ln -s $(pwd)/age-plugin-tkey ~/bin/age-plugin-tkey Installing Passage ------------------ This section is Arch linux specific, so feel free to skip if you can install passage more easily on your distribution. Otherwise, you can install from source, or build locally like we did with the age-plugin-tkey. Arch has a [PKGBUILD](https://aur.archlinux.org/packages/passage-git) for passage available in the Arch User Repository, but it is not updated to latest project tag at the time of writing. That's easy enough to correct. Download the PKGBUILD, Edit the 'pkgver' to the latest [tag](https://github.com/FiloSottile/passage/tags) from the project, and install. $ wget https://aur.archlinux.org/cgit/aur.git/plain/PKGBUILD?h=passage-git -O PKGBUILD $ vim PKGBUILD $ makepkg -si Setting up the Password Store ----------------------------- Create a directory for our encrypted password store, and copy the identity file we made earlier. $ mkdir ~/.passage $ cp test_keys ~/.passage identities $ cd ~/.passage At this point we should create our backup key. I'll put mine on an external sd card. $ age-keygen -o /mnt/external_card/backup_key.txt # public key: age15nqg2rlyzj2hm4ancu9g774ygv3qzzy4l0zv3mgah6lm0u35uv9s2ara7j Now we add the public keys from the tkey and the backup to the recipients file $ mkdir store $ echo age1aaf428jance6wsw28qad8878xh48jh57wy3pxxa0ettntuzhlussr8qps5 >> store/.age-recipients $ echo age15nqg2rlyzj2hm4ancu9g774ygv3qzzy4l0zv3mgah6lm0u35uv9s2ara7j >> store/.age-recipients Finally, we can actually start using the password manager! $ passage insert -m testing/somesite mkdir: created directory '/home/user/.passage/store/testing' Enter contents of testing/somesite and press Ctrl+D when finished: somepassword someuser https://some.site If everything has gone correctly, we should be able to decrypt with the tkey identity. $ passage show testing/somesite somepassword someuser https://some.site And to double check with the backup identity: $ cat /mnt/external_card/backup_key.txt > identities $ passage show testing/somesite somepassword someuser https://some.site