Update README and CHANGELOG for PIN cache changes
This commit is contained in:
@@ -9,6 +9,16 @@ to 0.3.0 are beta releases.
|
|||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
### Changed
|
### Changed
|
||||||
- MSRV is now 1.60.0.
|
- MSRV is now 1.60.0.
|
||||||
|
- The YubiKey PIV PIN and touch caches are now preserved across processes in
|
||||||
|
most cases. See [README.md](README.md#agent-support) for exceptions. This has
|
||||||
|
several usability effects:
|
||||||
|
- If a YubiKey's PIN is cached by an agent like `yubikey-agent`, and then
|
||||||
|
`age-plugin-yubikey` is run (either directly or as a plugin), the agent
|
||||||
|
won't request a PIN entry on its next use.
|
||||||
|
- If a YubiKey's PIN was requested by either a previous invocation of
|
||||||
|
`age-plugin-yubikey` or an agent like `yubikey-agent`, subsequent calls to
|
||||||
|
`age-plugin-yubikey` won't request a PIN entry to decrypt a file with an
|
||||||
|
identity that has a PIN policy of `once`.
|
||||||
|
|
||||||
## [0.3.2] - 2023-01-01
|
## [0.3.2] - 2023-01-01
|
||||||
### Changed
|
### Changed
|
||||||
|
|||||||
@@ -115,13 +115,24 @@ age client as normal (e.g. `rage -d -i yubikey-identity.txt`).
|
|||||||
### Agent support
|
### Agent support
|
||||||
|
|
||||||
`age-plugin-yubikey` does not provide or interact with an agent for decryption.
|
`age-plugin-yubikey` does not provide or interact with an agent for decryption.
|
||||||
As age plugin binaries have short lifetimes (they only run while the age client
|
It does however preserve the PIN cache by not soft-resetting the YubiKey after a
|
||||||
is running), this means that YubiKey identities configured with a PIN policy of
|
decryption or read-only operation, which enables YubiKey identities configured
|
||||||
`once` will actually prompt for the PIN on every decryption.
|
with a PIN policy of `once` to not prompt for the PIN on every decryption.
|
||||||
|
|
||||||
A decryption agent will most likely be implemented as a separate age plugin that
|
The session that corresponds to the `once` policy can be ended in several ways,
|
||||||
interacts with [`yubikey-agent`](https://github.com/FiloSottile/yubikey-agent),
|
not all of which are necessarily intuitive:
|
||||||
enabling YubiKeys to be used simultaneously with age and SSH.
|
|
||||||
|
- Unplugging the YubiKey (the obvious way).
|
||||||
|
- Using a different applet (e.g. FIDO2). This causes the PIV applet to be closed
|
||||||
|
which clears its state.
|
||||||
|
- Generating a new age identity via `age-plugin-yubikey --generate` or the CLI
|
||||||
|
interface. This is to avoid leaving the YubiKey authenticated with the
|
||||||
|
management key.
|
||||||
|
|
||||||
|
If the current PIN UX proves to be insufficient, a decryption agent will most
|
||||||
|
likely be implemented as a separate age plugin that interacts with
|
||||||
|
[`yubikey-agent`](https://github.com/FiloSottile/yubikey-agent), enabling
|
||||||
|
YubiKeys to be used simultaneously with age and SSH.
|
||||||
|
|
||||||
### Manual setup and technical details
|
### Manual setup and technical details
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user