// glossary / fido2-security-key

FIDO2 security key.

A hardware security key keeps the signing secret on a physical device that never leaves your pocket. AgePony 2.0 can sign files using sk-ssh-ed25519 and sk-ecdsa keys held on a FIDO2 key, tapped over NFC.

// definition

FIDO2 security keys are hardware authenticators (such as YubiKeys) implementing the CTAP2 protocol. With OpenSSH they hold sk-ssh-ed25519 or sk-ecdsa-sha2-nistp256 keys whose private half never leaves the device.

What it is

An sk- key is a security-key-backed SSH key. The private key material is generated inside the hardware token and cannot be extracted. Signing requires the physical device, and depending on how the key was created, either a touch or a FIDO2 PIN.

Why it matters

This is the strongest signing posture AgePony offers. Even if your phone is compromised, an attacker cannot sign as you without also possessing the physical key and satisfying its touch or PIN. AgePony talks to the key over NFC, so a tap is all it takes.

// in AgePony AgePony 2.0 supports sk-ssh-ed25519 and sk-ecdsa-sha2-nistp256 security keys for signing, with touch-only and FIDO2-PIN keys both handled over NFC.

Related terms

Common questions.

Which keys are supported?

sk-ssh-ed25519 and sk-ecdsa-sha2-nistp256, the two security-key SSH types OpenSSH defines.

Touch or PIN?

Both. AgePony handles touch-only keys and keys that additionally require a FIDO2 PIN.

Get AgePony

Free file encryption for iOS and Android. No accounts, no tracking, no servers.

Download on the App Store Get it on Google Play