[nickray]

We hope and think that PIV can replace all the practical use cases for PGP. Specifically among those mentioned, `age` for file encryption, and either FIDO resident keys with hmac-secret for password managers, or something like `passage` (fork of `pass` using, again, `age` for encryption). For SSH you can use FIDO for newer OpenSSH, and either `pivy` or `yubikey-agent` via PIV. Cheers!

[rlctntpgpusr]

As a reluctant PGP user who has backed Solo Keys v2 for 4+ for personal use, and who has written Rust code in the pursuit of using PIV over OpenPGP, this answer is disappointing.

Age isn't there. It does NOT have good (read, right now, really, any) support for hardware tokens. I'm skeptical of what I've seen. And age still punts on authentication. And PIV still doesn't have decent keys at decent sizes standardized and thus is awkward to use in practice.

I'm really not convinced, and I really want to be. I wrote a bunch of forward-looking Rust, and then permanently backburner-ed it because age/yubikey just isn't there yet.

Using FIDO2 for SSH, when you're used to the portability and versatility of OpenPGP, stinks. I can use my Yubikey perfectly to do SSH and GPG in Windows. I can forward SSH agent and GPG from Windows to Linux such that it is identical in functionality to me sitting in front of my actual Linux box with my Yubikey plugged in. I have never seen that done with PIV.

I have this extreme fear that I'm going to wind up with four solokeysv2 that just sit in a drawer.

[upofadown]

>`age` for file encryption,

I can't see why one would bother. OpenPGP works and is a published standard that has been around forever. Age is just pointlessly different with fewer use cases. This has an example of where age is objectively worse:

* https://articles.59.ca/doku.php?id=pgpfan:agevspgp

[georgyo]

What about code signing?

People like to dislike PGP and replace it with a myriad of different solutions. But PGP is everywhere and awesome. It's very wide spread adoption is invaluable. I really don't want to see it replaced with zillions of different bespoke solutions.

[tadfisher]

Yep! It's magical having everything signed automatically by plugging in my Yubikey and setting some git config once. I will not go to something that doesn't enable this.

[kevdev]

This. I’m a backer for their Kickstarter but the lack of PGP is unfortunate. Yes, there are problems with it. But as you said, it’s everywhere. It’s not going anywhere anytime soon, so what’s the harm in supporting it for now?

[IgorPartola]

Why do people like to hate on PGP? It’s a pretty great project.

[Avamander]

Because it has a shitton of issues. The implementations aren't great, cryptographic issues, memory safety issues, stable API/ABI issues. It's still not supported well by software that could use these features.

[GekkePrutser]

Most of the security issues are mitigated by using a hardware token to do the actual encryption anyway.

[Avamander]

Those are expensive

[georgyo]

You do realize that the solokey is a hardware token....

[GekkePrutser]

Yeah I dislike PGP mainly for email by the way. It's too clumsy there.

For file encryption and signing it's great IMO.

[GekkePrutser]

Understood and it probably can but I don't want to replace it :) I like OpenPGP (especially the newer revision which supports elliptic curve).

The GPG toolchain is pretty great for file encryption and I use it for my password manager too (which is indeed ZX2C4 Pass - passwordstore.org ). I don't want to use a fork using 'age' because I rely on the GPG version on my mobile (using the excellent OpenKeyChain app and the passwordstore app which talks to that).

Also, I log in to SSH servers I don't have the ability to install stuff on, like the ILO on my servers. And again on mobile, there's bridges to OpenKeyChain for SSH in e.g. Termux which work great including agent forwarding. But not for PIV. So it's not a complete replacement.

Sorry but without OpenPGP it's a non-starter for me. I understand I could use Solokey if I make a lot of changes in my personal setup and make some compromises especially on mobile. But why would I? I can just continue using Yubikey :) Don't forget you're in a heavily contested market, you should be better than the competition.

I'd like to have an open-source authentication key but in the end it's a tool to me. Open-source is a 'nice to have'. It's not worth it to me to deviate too much from my existing workflow.

[motiejus]

Anything similar to https://github.com/drduh/YubiKey-Guide for what you have just described?

I am willing to use what I can understand, backup and operate, and yubikey+gpg seems to be it because of this guide.

Anything practical for what you've mentioned?

Edit: for ssh and encryption.

[boris]

Another thing to keep in mind about PIV is that it's currently limited (at the standard level) to RSA-2048 max.

Would it be possible to make a custom firmware that support RSA-4096 PIV?