A [cryptoki/PKCS#11 library](http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html) for [Termux](https://termux.com/) that uses [Android Keystore](https://developer.android.com/training/articles/keystore) as its backend.
This library enables the use of keys securely stored in termux-api with PKCS#11 protocol capable applications. These include the applications provided by openssh, such as `ssh` and `scp`.
Tergent does not (and cannot) access your private keys as they are stored inside the secure hardware. In fact, they can never leave the chip even with root privileges, thanks to [extraction preventation](https://developer.android.com/training/articles/keystore#ExtractionPrevention).
Cryptographic actions are performed by the hardware itself.
This library is aimed to be compliant with PKCS#11 version 2.40. For now it implements all the APIs required for `ssh` and the related applications to function. If you encounter any issues trying to use tergent with any other PKCS#11 capable application, please open a bug report.
Install [Rust](https://www.rust-lang.org/en-US/install.html) and [Android NDK](https://developer.android.com/ndk/).
You will need to configure cargo with the correct locations for "ar" and "linker", you can follow this page up to and including the `rustup target add ...` command:
Keys generated for tergent 0.1 will not work for the latest version. If you do not want to lose access to your server, generate new keys using step 2 below and copy it to your server before upgrading.
If you have already upgraded, you can download a copy of an older version from the releases page.
After upgrading, any modifications made in `.bash_profile` or similar files should be removed. There is no need to keep running a background process anymore.
1. Make sure you have the latest version of [Termux:API](https://play.google.com/store/apps/details?id=com.termux.api) installed. Don't forget to install the scripts using the command `pkg install termux-api`.
3. List the keys to verify using the standard ssh tool: `ssh-keygen -D $PREFIX/lib/libtergent.so`. Even though the command is called `ssh-keygen`, `-D` switch lists cryptoki keys instead of generating new keys.
tergent does not provide password protected sessions yet.
However, Android [provides a mechanism](https://developer.android.com/training/articles/keystore#UserAuthentication) to automatically lock the keys after a specified time has passed since the last device unlock. To take advantage of this feature, use the flag while generating the keys, e.g. `--ei validity 10` for a 10-second lock. In this case, the keys are usable only for 10 seconds after the phone is unlocked. To unlock the keys after this time has passed, simply re-lock and unlock your device again.