EC key support (piv-agent compatibility)

[Tomaszal]

Are there any reasons why only ed25519 keys are supported? It would be great if EC keys were supported as well. In particular I'm asking this as I would love to be able to use SSH keys generated by piv-agent for sops-nix, which are of ecdsa-sha2-nistp256 format. It's so far in my opinion the most practical (in terms of the balance of simplicity, functionality and security) way I've found to use hardware keys for development.

Of course, I could also use the GPG keys generated by piv-agent for sops-nix. However, I'd really prefer to avoid GPG when possible, which I think you can understand considering you seem to agree that "GnuPG is in general not great software".

There is also age-plugin-yubikey, however, that doesn't seem to be able to use PIV keys generated by piv-agent, which would require creating more PIV keys on other slots. While that isn't too big of a deal, it also seems that age-plugin-yubikey cannot run while piv-agent is active, as the PIV device is busy. That means that piv-agent would have to be stopped every time a file needs to be encrypted or decrypted, which is really inconvenient.

So I thought converting the ecdsa-sha2-nistp256 keys generated by piv-agent using ssh-to-age would be a perfect solution to this problem. Would it be possible, or are there some technical limitations?

[Mic92]

Sorry for the late response. I think the limitations are more on sops side. We are using a library from sops for decrypting secrets and I don't think they support agents for age.