[KAMSPioneer]

I use both PKCS#11 and OpenPGP SSH keys and in my opinion, PKCS#11 is a better user experience if you don't also require PGP functionality. Especially if you're supporting MaxOS clients as you can just use Secretive[0]. As you say, FIDO is even better but comes with limitations on both client and server, which makes life tough.

[0] https://github.com/maxgoedjen/secretive

[wkat4242]

Oh yeah I don't really use macOS anymore. And I do really need PGP functionality for my password manager.

I used pkcs11 before with openct and opensc (on OpenHSM PIV cards) and the problem I had with it was that I always needed to runtime-link a library to the SSH binary to make it work which was often causing problems on different platforms.

The nice thing about using PGP/GPG is that it can simulate an SSH agent so none of this is necessary, it will just communicate with the agent over a local socket.

[palata]

> And I do really need PGP functionality for my password manager.

Just curious: is it https://www.passwordstore.org/?

[wkat4242]

Yes it is! It's great!

[wkat4242]

By the way, to elaborate, I love it because it's really secure when used with yubikeys, it's fully self hosted, it works on all the platforms I use including android and it's very flexible. There's no master password to guess which is always a bit of an Achilles heel with traditional PW managers. Because you have to use it so much you don't really want to have it too long or complex. This solves that while keeping it very secure.

The one thing I miss a bit is that it doesn't do passkeys. But well.

[palata]

I use it as well (with a Yubikey) and I love it! On Android I use Android-Password-Store [1], which is nice too. There is just this issue with OpenKeychain that concerns me a bit, I am not sure if Android-Password-Store will still support hardware keys when moving to v2... but other than that it's great!

[1]: https://github.com/android-password-store/Android-Password-S...