On Monday, 24 February 2025 15:32 Clara Engler via tor-relays wrote:
This made me think about how we could solve that issue by storing the Ed25519 identity key on a Yubikey and let it sign the relevant certificates.
Nice feature, has been requested by some in recent years.
In theory, one Yubikey can store up to 17 relay identity keys, before
Nitrokey 3 (27 ECC keys) Nitrokey HSM 2 (55 ECC keys) Onlykey Pro is in development. It is intended to offer plenty of storage space for password managers and will probably be able to store many ECC keys. (Will hopefully be released on Kickstarter in a few months)
reaching its limit. Unfortunately, Ed25519 support is rather new in Yubikeys, so you will probably need a newer one (I developed it with firmware 5.7).
e.g: ed25519-sk key-pair is only supported by new YubiKeys with firmware 5.2.3 https://gist.github.com/boldsuck/905c2c01e596e5673340216089366b76
This is exactly why I don't buy Yubikeys anymore. You don't know what firmware you're getting before you buy it. Firmware can't be updated. Every time I buy one, months later I find that a new feature is missing. :-(
Nitro-, Solo-, Onlykeys are open source & fw upgrade able. Backup and upload to new key(s) is possible.