age YubiKey identities use ECC P-256 keys, generated on the hardware token, with certificates that never expire. The default PIN policy is "once per session", and the default touch policy is "every decryption".
<dl>
<dt>Plugin name</dt>
<dd>
`yubikey`
</dd>
<dt>Recipient data</dt>
<dd>
```
SEC-1-C(public key)
```
where `SEC-1-C` is the 33-byte compressed SEC-1 encoding.
</dd>
<dt>Identity data</dt>
<dd>
A YubiKey "identity" is managed locally as a key stub with the following form:
```
serial || slot || SHA-256(SEC-1-C(public key))[:4]
```
The stub may exist in files alongside age X25519 secret keys, and is similarly passed to the age / rage binary with the -i flag.
</dd>
<dt>Stanza</dt>
<dd>
A PIV stanza is of the form:
```
-> piv-p256 encode(SHA-256(SEC-1-C(public key))[:4]) encode(SEC-1-C(ECDH(ephemeral secret, p256-basepoint)))\n
encode(encrypt[HKDF[salt, label](ECDH(ephemeral secret, public key))](file key))\n
```
where `ephemeral secret` is a random scalar within the scalar field of P-256 and MUST be new for every file key, `salt` is `SEC-1-C(ECDH(ephemeral secret, basepoint)) || SEC-1-C(public key)`, and `label` is `piv-p256`.
</dd>
</dl>
Note that the common tag in the stanza and key stub means that recipients can trivially identify whether they can decrypt a particular recipient line, at the cost of making recipients linkable across different encrypted files.
---
Usage example (responses out-of-date):
```
$ cargo install --path .
$ age-plugin-yubikey -o keystub.txt
Enter PIN for YubiKey with serial 12345678: [hidden]
Use the up/down arrow keys to select a YubiKey slot (q to quit): Retired(R1) (Empty)
Select a PIN policy: Once (A PIN is required once per session, if set)
Select a touch policy: Always (A physical touch is required for every decryption),
Generate new key in Retired(R1) slot? yes
$ cat keystub.txt
# created: 2019-12-07T23:13:09Z
# yubikey:A_y2TWFFIZ8AhuFCjpxGzt_qiZrwMfEyDG6M8fqgG3ET
AGE_YUBIKEY_STUB_00bc614e_9d_6ecc74ff
$ echo "YubiKey FTW!" | rage -o test.age -r yubikey:A_y2TWFFIZ8AhuFCjpxGzt_qiZrwMfEyDG6M8fqgG3ET
$ rage -d -i keystub.txt test.age
Enter PIN for YubiKey with serial 12345678: [hidden]
YubiKey FTW!
```
Sign in via Google
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
Connect another wallet