Support for Nitrokey/smartcards/PKCS#11

[jans23]

Hi! It would be great to be able to keep the signing key (for authorized key signature) on a secure hardware dongle such as Nitrokey. In general OpenSSL can be used with a PKCS#11 engine for such cases. With theo-cli I don't see such possibility. Any thoughts?

[macno]

Hi, I don't have any experience with Nitrokey, I'll read the documentation. What we can do right now is to add a new argument to theo (--signature for example) to accept the signature so you can get the signature from OpenSSL and save it. What do you think?

[jans23]

That sounds like a sufficient temporary solution. Would you be interested in direct device support in Theo? I would be glad to provide you a free Nitrokey for that.

[macno]

Sure, always looking for new features to improve theo.
Meanwhile I released 0.10.0 (already on npm) to support external signature

[macno]

@jans23 I'd like to allocate some time to integrate Nitrokey in the next month, is your offer to provide us a device still valid?

[jans23]

Yes.

[macno]

You can reach me via email: {mynickname}[at]authkeys.io
Thanks