AgePony PGPony ↗ download
// guide / sign-with-security-key

How to sign a file with a security key.

The strongest signing posture AgePony offers. Hold your signing key on a FIDO2 hardware device, and AgePony 2.0 signs by tapping it over NFC — the private key never leaves the hardware.

~3 minutes iOS / Android A FIDO2 security key
// at a glance
  1. Have an sk-ssh-ed25519 or sk-ecdsa key
  2. Open AgePony, choose Sign
  3. Select the security-key identity
  4. Tap the key over NFC
  5. Share file plus signature
Prerequisites
  • AgePony 2.0 installed
  • A FIDO2 security key holding an sk-ssh-ed25519 or sk-ecdsa-sha2-nistp256 key
  • NFC enabled on your phone
// step 01

Confirm your key type.

Security-key SSH keys are sk-ssh-ed25519 or sk-ecdsa-sha2-nistp256. They are generated on the hardware token and cannot be extracted. Import the public key into AgePony if you have not already.

// step 02

Open the Sign flow and select the security-key identity.

Choose Sign, then select your security-key identity. AgePony signs under the agepony namespace.

// step 03

Pick the file.

Select the file to sign.

// step 04

Tap the key over NFC.

Hold the security key to your phone. If the key is touch-only, a tap confirms; if it requires a FIDO2 PIN, AgePony prompts for it first. The signature is computed on the device.

// step 05

Share the file and signature.

AgePony writes a detached .sig. Send it alongside the file for verification with your public key.

Verify it worked.

  • AgePony reports the security-key identity used.
  • Signing requires the physical key present — it fails without a tap.
  • ssh-keygen -Y verify accepts the result with your sk- public key.

Common questions.

Which keys are supported?

sk-ssh-ed25519 and sk-ecdsa-sha2-nistp256, the two security-key SSH types OpenSSH defines.

Touch-only or PIN keys?

Both. AgePony handles a simple touch and keys that also require a FIDO2 PIN.

Why is this stronger?

Even a compromised phone cannot sign as you without the physical key and its touch or PIN.

Does it work over USB?

AgePony uses NFC for security-key operations on mobile. Tap the key to the phone.

Next steps.

Signing

Sign with your SSH key
Glossary

FIDO2 security key
Glossary

SSHSIG
For

For developers

Get AgePony

Free file encryption for iOS and Android. No accounts, no tracking, no servers.

Download on the App Store
Get it on Google Play