top | item 31709238

(no title)

str4d | 3 years ago

Yep! Plugins themselves are ephemeral - all of their runtime state is provided by the age client - but when the plugin binary is invoked by the age client, it can then connect to (or start) the long-lived agent process and act as a proxy to it.

For YubiKey support specifically, my age-plugin-yubikey plugin handles encryption and ephemeral decryption (meaning that it connects to the YubiKey live, and thus has to treat e.g. "Once" PIN policies as "Always"). Once something like yubikey-agent has been extended to provide an age plugin, you could then take an age-plugin-yubikey identity and convert it into an agent plugin identity (so that the age client knows to invoke the agent's plugin for decryption rather than age-plugin-yubikey).

discuss

No comments yet.