The Tillitis TKey is a recently released open hardware security key that you load with custom applications. One useful application is encrypting passwords for the pass utility.
Even more details about the TKey in this ~20 minute video
Most of the existing libraries and utilities for the tkey are made with golang. Unfortunately, the official golang package for OpenPGP is deprecated, and I haven't found any implementations of a gpg-agent or scdaemon in golang.
Fortunately, one of the Tillitis developers has started work on a plugin for the age encryption tool which we can use with a fork of the pass utility called passage.
Building the Plugin:
To start, install the age package for your distribuition. It is available in Arch, Debian, and Fedora.
Next we can build the tkey device application from the age-plugin-tkey repo. It's worth repeating the warning from the plugin README:
Note that this is work in progress. The implementation may change, and this will cause a change of identity of a TKey running this device app. This would mean that the public/private key no longer is the same, and decryption of data encrypted for the previous key pair will not be possible.
In other words, make sure you have a working backup of your data. Ideally in an offline storage. We can also use the 'multiple recipients' feature of 'age' to encrypt with the public key from the tkey, and another backup key in case of damage or loss.
We'll follow the recommended steps of building the plugin with podman to ensure the checksums don't change. (Note: For Arch, I needed to add a subuid, and subgid range for my user Arch Wiki Link).
$ git clone https://github.com/quite/age-plugin-tkey
$ cd age-plugin-tkey/contrib
$ make
Now we should have a binary we can use to generate a new identity file for age. (Note that the --touch option when generating a key will require pressing the tkey for each decrypt action)
$ cd ..
$ ./age-plugin-tkey -g --touch > test_keys
# recipient: age1aaf428jance6wsw28qad8878xh48jh57wy3pxxa0ettntuzhlussr8qps5
Finally, we need to add the plugin to our $PATH: (assuming ~/bin is in your $PATH)
$ ln -s $(pwd)/age-plugin-tkey ~/bin/age-plugin-tkey
Installing Passage
This section is Arch linux specific, so feel free to skip if you can install passage more easily on your distribution. Otherwise, you can install from source, or build locally like we did with the age-plugin-tkey.
Arch has a PKGBUILD for passage available in the Arch User Repository, but it is not updated to latest project tag at the time of writing. That's easy enough to correct. Download the PKGBUILD, Edit the 'pkgver' to the latest tag from the project, and install.
$ wget https://aur.archlinux.org/cgit/aur.git/plain/PKGBUILD?h=passage-git -O PKGBUILD
$ vim PKGBUILD
$ makepkg -si
Setting up the Password Store
Create a directory for our encrypted password store, and copy the identity file we made earlier.
$ mkdir ~/.passage
$ cp test_keys ~/.passage identities
$ cd ~/.passage
At this point we should create our backup key. I'll put mine on an external sd card.
$ age-keygen -o /mnt/external_card/backup_key.txt
# public key: age15nqg2rlyzj2hm4ancu9g774ygv3qzzy4l0zv3mgah6lm0u35uv9s2ara7j
Now we add the public keys from the tkey and the backup to the recipients file
$ mkdir store
$ echo age1aaf428jance6wsw28qad8878xh48jh57wy3pxxa0ettntuzhlussr8qps5 >> store/.age-recipients
$ echo age15nqg2rlyzj2hm4ancu9g774ygv3qzzy4l0zv3mgah6lm0u35uv9s2ara7j >> store/.age-recipients
Finally, we can actually start using the password manager!
$ passage insert -m testing/somesite
mkdir: created directory '/home/user/.passage/store/testing'
Enter contents of testing/somesite and press Ctrl+D when finished:
somepassword
someuser
https://some.site
If everything has gone correctly, we should be able to decrypt with the tkey identity.
$ passage show testing/somesite
somepassword
someuser
https://some.site
And to double check with the backup identity:
$ cat /mnt/external_card/backup_key.txt > identities
$ passage show testing/somesite
somepassword
someuser
https://some.site