search

FiloSottile / age

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
https://age-encryption.org
BSD 3-Clause "New" or "Revised" License
16.83k stars 492 forks source link

Decrypt not working with my setup #200

Closed orolhawion closed 3 years ago

orolhawion commented 3 years ago

Environment

What were you trying to do

I tried to decrypt a previously encrypted txt file.

What happened

An error was displayed: Error: no identity matched any of the recipients

More Details

I might explain my setup which may be the issue itself:

For encryption I derived the ssh public key from my pgp key (RSA4096) which is located on my YubiKey 5, hence I do not have a private key file on the file system as the doc suggests.

I read that ssh-agent is not supported, however I am running gpg-agent, which also may not be supported. I just thought I would have a use case here.

Could be related to https://github.com/FiloSottile/age/issues/137

$ age -R ~/.ssh/id_rsa.pub plain.txt > plain.txt.age

$ cat plain.txt.age 
age-encryption.org/v1
-> ssh-rsa 7nXROQ
[...]
--- Nsc+ERH0H8DWzgNYMCxRdndI1KBX9+sFMsRUO7JKEB4
σ????
V??v\?'A??ۡ>Iv??? ?%                                                                                                                                                                                                                                                                                                                          

$ age -d plain.txt.age > plain.txt.age.decrypted
Error: no identity matched any of the recipients
[ Did age not do what you expected? Could an error be more useful? Tell us: https://filippo.io/age/report ]
FiloSottile commented 3 years ago

For encryption I derived the ssh public key from my pgp key (RSA4096) which is located on my YubiKey 5, hence I do not have a private key file on the file system as the doc suggests.

Yeah unfortunately SSH keys are only supported when available as a file. It's technically impossible to support them through the standard ssh-agent protocol. It might technically be possible to bypass the ssh-agent and use gpg-agent to do a decryption with the authentication key, if the OpenPGP applet allows that. However, we'd rather make the YubiKey plugin work very well and recommend using that rather than SSH keys for YubiKey compatibility.

kfken commented 3 years ago

Yeah unfortunately SSH keys are only supported when available as a file. It's technically impossible to support them through the standard ssh-agent protocol. It might technically be possible to bypass the ssh-agent and use gpg-agent to do a decryption with the authentication key, if the OpenPGP applet allows that. However, we'd rather make the YubiKey plugin work very well and recommend using that rather than SSH keys for YubiKey compatibility.

Is the yubikey plugin working and ready to use? Or is that still in development?

FiloSottile commented 3 years ago

Still in development but the spec should be close to done.

supermarin commented 3 years ago

However, we'd rather make the YubiKey plugin work very well and recommend using that rather than SSH keys for YubiKey compatibility.

@FiloSottile does this imply the YubiKey plugin will require a hardware key? i.e. no keychain / other agent based support is planned for password protected, digital keys?

This is the only usability feature that's stopping me from completely moving away from gpg.

FiloSottile commented 3 years ago

Not as part of the YubiKey plugin, but we are thinking about encrypted keys and agents plugins. The plugin protocol is designed specifically with that in mind.