Using ssh-agent
for encryption purposes (without SSH extensions)
#29
cipriancraciun
started this conversation in
Discussions
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
On the https://github.com/FiloSottile/age project issues and discussions lists often the question of using a plain
ssh-agent
(as in without any custom SSH extensions) is raised, like for example:Unfortunately, using SSH agent for encryption is not possible because it only exposes an operation that relies on signatures, and even that isn't generally suitable for arbitrary signatures.
Fortunately, because RSA and Ed25519 signature schemes are deterministic (only PKCS-v1.5 for RSA) (and not available for ECDSA), it means one can "misuse" SSH agent signatures for symmetric encryption (as in only the one that posses the RSA/Ed25519 secret key can both encrypt and decrypt).
Now, the
z-tokens
project (the one in this repository) does try to implement such a SSH-agent based symmetric encryption scheme. I've also written a lengthier article on the subject at:Other projects that have implemented similar solutions based on the unmodified SSH-agent protocol:
Thus, in order to document all these use-cases and possible solutions I thought to open this discussion thread here to point at these various places.
Also, I invite anyone to discuss potential problems / issues or other ideas on this topic.
Beta Was this translation helpful? Give feedback.
All reactions