Hacker News new | past | comments | ask | show | jobs | submit login

I was pretty excited but then saw it was apple-only. I don't see support for TPM 2.0 coming soon, but instead things like smart cards.



I had to draw a line so I could actually release something. But Windows and Linux support is definitely a target. In fact, the core software was originally developed on both macOS and Linux with PC/SC smart cards (both PIV and OpenPGP) and Vault as key stores, but without any GUI components--everything compiled into a set of PKCS#11 (for OpenSSH, OpenSSL ENGINE, etc) and PC/SC modules (for GnuPG). And I stayed away from macOS and Linux APIs as much as possible to ease a Windows port.

But friends and coworkers I explained and showed the idea to didn't get it conceptually (e.g. people have the idea of key rotation drilled into their head as if that's the alternative to HSMs, instead of it being a mitigation for a fundamentally broken key management ecosystem), plus most people just wanted something they could point SSH_AUTH_SOCK at, so there needed to be a daemon/menubar/taskbar service. Ultimately the hard part was modeling and building a GUI around the concept, so it would be easier to understand and use. To get something out the door I targeted my daily desktop environment, macOS. It's using Yue as the GUI toolkit, which supports Linux/Gtk, macOS, and Windows.

I took a year off of work to finally get the idea out of my head, which I had been mulling over for many years. But now I find myself in the middle of a downturn in the software engineering job market (anybody hiring or interested in investing?), so while I have work in progress to round out the macOS app features, Linux and Windows (which is really where the commercial viability exists, I think), will need to wait until I have some cashflow.

I'd like to eventually release the Linux work as open source. But FWIW if someone has a specific use case in mind and is willing to fund development, I could very quickly build and release a [non-GUI] Linux package. PKCS#11 and PC/SC Linux modules still build in the tree, and adding a TPM key store adapter along side the other internal adapters would be relatively simple. In fact, a Linux PKCS#11 module for accessing Vault Transit Engine keys with TPM 2.0 mTLS authentication would be maybe 1-2 weeks of effort; slightly less if just straight TPM 2.0 support. Most of the implementation is already there, but polishing and testing something which can be supported long-term takes some effort.


Oh yeah. The MacOS is something magic you’ve worked out. I use my yubikey for ssh keys and I was never able to figure out how to get macOS to work for other processes (like IntelliJ) unless it was started from a shell. Then one day IntelliJ changed how that works and it hasn’t worked since.

Anyway, this is really cool. I use Windows, Linux, and Mac every day for work and having a consistent method of doing this kind of stuff sounds amazing. Keep up the good work.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: