Adding support for ssh keys for encryption.

[Mic92]

SSH keys could be also used for encryption. They are already in well-known locations i.e. /etc/ssh/ssh_host_rsa_key. Most developer/servers have already ssh keys.
Since most users also have ways of trusting those ssh keys (TOFU, DNS, hosters like github/gitlab or certificates) importing them should be easy. For my project I am thinking about converting ssh keys to gpg keys. However it would be probably also beneficial for sops itself to have this supported out-of-the box. I think usability of ssh-keygen over gpg is out of question.

[Mic92]

Here is some boilercode to convert ssh keys to gpg: https://gist.github.com/Mic92/24c40996cd97cb8edd53fd688c60ab6f

[jvehent]

I agree with the initial request of using SSH keys for encryption, and #688 will give us that because age supports ssh keys.

The PGP key storage format is an abomination and it would be a mistake to add more complexity. Ultimately, we need to steer people away from PGP entirely.

[gzm55]

@jvehent unfortunately, #688 missing ssh keys supports

[Mic92]

I will built a tool eventually to convert ed25519 as well to age keys, like I did for gpg.

[D3vl0per]

Bump?

[Mic92]

I have built: https://github.com/Mic92/ssh-to-age https://github.com/Mic92/ssh-to-pgp/ for use with sops. ssh-to-age can be used for ed25519 keys and ssh-to-pgp for rsa-based ssh keys.

[childnode]

@Mic92 does your implementation literaly the same as https://github.com/FiloSottile/age/blob/main/agessh/agessh.go#L190 << https://blog.filippo.io/using-ed25519-keys-for-encryption age internally does on providing an ssh-ed25519 wrapping it into a X25519 curve encoded as Bech32 with HRP AGE-SECRET-KEY-?! looks like you copied some code and redistributed it under MIT without copyleft while age provided it under BSD 🤔

[Mic92]

BSD and MIT are compatible with each other.