I am creating a USB Enclave to store my SSH keychain on a MacBook Pro 2019

[ntbdy]

Greetings and salutations,

Is there a way to port secretive to a USB device? The reason is I keep being denied when I name my keys... like

ssh-keygen -t e22519 -f path/to/.ssh/name-of-site -C "my email", but I've noticed that every time with certain servers or clients using sftp, or using forklift, if the file is renamed, or placed in a different folder, the public key is denied, regardless of whether I add it correctly to the agent. However, if I do the exact same thing, leaving the key as default, the key works

The problem is that I'm stuck with only one key for each algorithm, and automating their weekly change is cumbersome. GPG with add key was a solution, but with Monterrey, not so much. My solution, given that (I stink as a programmer), was to take a 120 gig USB drove. Then slice and ice it into multiple partitions, to create secure enclaves for each site. This way, I can just use the defaults stored in each partition. Then my autobots can go to town, controlling the ever-changing dance of the rotating keys.

I see you're a fellow Angelino, I'm right under the Hollywood Sign up Beachwood, perched on atop of one of the hills. Back to the prob...

The reason I need this is to run 30 sites, most of which are created through macros and automation. I even automate (or use to automate) the rotation of ssh keys, due to the fact that I work in crypto and NFT minters and don't trust anyone, lol - smh as I install secretive. That being said, the reason I like Forklift is that it allows me to access all the sites simultaneously, automates my scrapers to push data to sites, funneling info where I need it to control my narrative.

And allows me to appear as if I'm a mega company, when....It's just me. LOL and my autobots- doing their thing, while I create my art and videos.

I love your program, 1password is attempting the same thing, but it's janky. I installed the JSON file, and "it's supposed to inject the pub key into the ssh folder when needed via the watch", (but it didn't work). So here I am, trolling on GitHub for solutions, and I stumbled upon secretive.

Let me know if it's possible. I'll probably still try, but I want to spend my time making money, rather than trying to figure out something I'm not that good at. Automation, which looks like magic to most, runs off of old Jax and AppleScript, keyboard maestro and hazel... and headings of Photoshop actions (also Jax) or Emma script.

Sorry for the lengthy write up. But I thought it was a good question, from a special needs person like....mwa.

Best,
Asylux

[maxgoedjen]

Hi @ntbdy – to be perfectly honest I don't think Secretive is the right solution for your problem, it does not have much in the way of automation facilities, and deleted keys are non-recoverable which would not be good if something goes wrong in your rotation process.

As to why your keys are failing to be picked up when they're named different things – that just sounds like a config issue of some type, that ought to work.

[ntbdy]

Yeah. I figured. I had and still have MacBook configured with Pam via yubikey, for passwordless entry to avoid brute-force attacks, but I'm unable to find where to change my ports <------ ignorance is not bliss! My problem now is when authorizing yubi for pam on Moterrey, it seems to have also locked in its own auth for ssh keys. Meaning when I type ssh-add -l to see my list of keys, I only see the keys in my yubi, which is nice if I were only running a machine or two. I'm usually not fond of big companies, but I have to say I do like 1password's new service, it's automatable. However, I have two issues - 1 I think my yubi is blocking its cli, and 2 1Password doesn't add the pub a key to. ssh like it's supposed to if proper selections are checked in their dev properties in their software panel. Regardless of having their proper config set in the .ssh folder, and the correct path added to my .zshenv, I guess I could consider .zshrc, (I like having that area clean for smaller programs). The alternative is to download its public and private key from 1Password. But it comes in without the proper name stored in the vault, so I automated a script to mv file.pub path with a new file name. The problem (is it the real name) who tf knows, because I can't see it in the command ssh-add -l but I'm having so much trouble with renamed keys, I'm reluctant to try much. Monterey dropped a lot of support for yubi. On top of that, the old scripts aren't exactly trust worthy. Luckily, I have 4 yubi keys, so I might activate a second, just in case, and see how to keep pam, but rm auth. On the bright side, the 1Password ssh key I added for Git works like a charm, so it's working....so strange. I didn't mean to make this a "dear Abby column" thread. Apologies, just so few know the pain.

[ntbdy]

Oh ps.... the USB enclave - pure disaster.