Hardware-based SSH/GPG/age agent
This project allows you to use various hardware security devices to operate GPG, SSH and age. Instead of keeping your key on your computer and decrypting it with a passphrase when you want to use it, the key is generated and stored on the device and never reaches your computer. Read more about the design here.
You can do things like sign your emails, git commits, and software packages, manage your passwords (with pass and passage, among others), authenticate web tunnels and file transfers, and more.
See the following blog posts about this tool:
- TREZOR Firmware 1.3.4 enables SSH login
- TREZOR Firmware 1.3.6 — GPG Signing, SSH Login Updates and Advanced Transaction Features for Segwit
- TREZOR Firmware 1.4.0 — GPG decryption support
- A Step by Step Guide to Securing your SSH Keys with the Ledger Nano S
Currently TREZOR One, TREZOR Model T, Keepkey, Ledger Nano S, and OnlyKey are supported.
Components
This repository contains source code for one library as well as agents to interact with several different hardware devices:
libagent
: shared librarytrezor-agent
: Using Trezor as hardware-based SSH/PGP/age agentledger_agent
: Using Ledger as hardware-based SSH/PGP agentjade_agent
: Using Blockstream Jade as hardware-based SSH/PGP agentkeepkey_agent
: Using KeepKey as hardware-based SSH/PGP agentonlykey-agent
: Using OnlyKey as hardware-based SSH/PGP agent
The /releases page on Github contains the libagent
releases.
Documentation
-
Installation instructions are here
-
SSH instructions and common use cases are here
Note: If you're using Windows, see trezor-ssh-agent by Martin LÃzner.
-
GPG instructions and common use cases are here
-
age instructions and common use cases are here
-
Instructions to configure a Trezor-style PIN entry program are here