FiloSottile
commented
3 years ago This can also mention that we don't support scripting passphrases and offer alternatives, like a passphrase-encrypted identity file.
Open FiloSottile opened 3 years ago
FiloSottile
commented
3 years ago This can also mention that we don't support scripting passphrases and offer alternatives, like a passphrase-encrypted identity file.
puenka
commented
2 years ago passGenerate an age identity and store it directly to pass:
$ age-keygen | pass insert -m "age-key"
Public key: age1234[...]
Enter contents of age-key and press Ctrl+D when finished:
$ # note that the above terminates automaticallyEncrypt and decrypt ~/data using this identity by reading it from stdin:
pass "age-key" | age -e -i - data > data.age
pass "age-key" | age -d -i - data.age > data.decryptedRecreate public key to share as recipient line:
pass "age-key" | age-keygen -y
age1234[...]
dani-CO-CN
commented
2 years ago I needed a way to decrypt an age-encrypted identity file. I had quite a hard time doing that in python without user input, i ended up using expect or the python package pexpect.
import pexpect
pexpect.run('/path/to/age -d /path/to/age.key', events={'Enter passphrase:': 'SomePassword\n'})Otherwise fiddling with /dev/tty and file descriptors in python sub-processes seemed even more involved.
brandsimon
commented
2 years ago I want to use age to decrypt a file in an initramfs, where /dev/tty is not available.
could not read passphrase: open /dev/tty: no such file or addressI also thought about using expect, but I dont want to pack it in the initramfs. Using a pipe or anything does not work. Are there other ways than to use expect?
brandsimon
commented
2 years ago @FiloSottile
If I remove /dev/tty, age works just fine. I don't really know why age is not able to open it, since neiter lsof nor fuser say, that it is already opened by another program.
I just checked readPassphrase and if it can stat /dev/tty but not open it, it will return an error.
Is there a reason to not go to the else block in this case?
If not, I am happy to provide a patch and test it.
dkwo
commented
6 months ago I'm also interested in using age in the initram, in combination with a yubikey, to decrypt a luks partition. https://github.com/str4d/age-plugin-yubikey/issues/157 As far as age is concerned, is this doable? My script would be a hook in the initram of choice, e.g. tinyramfs.
brandsimon
commented
6 months ago I use it in a initramfs with dracat and mkinitcpio, it works just fine: https://gitlab.com/cryptographic_id/cryptographic-id-rs/-/blob/main/usr/lib/cryptographic_id/show_identities?ref_type=heads#L27 My problem got fixed here: https://github.com/FiloSottile/age/commit/ac31f5c9356f42c3ec76440bff74ae4bac9de794
dkwo
commented
6 months ago Thanks, that's useful. Do you foresee any obstructions to use a yubikey (with the age plugin) instead of tpm?
brandsimon
commented
6 months ago @dkwo No big ones, but I have no experience with yubikey in initramfs. You need the device drivers in the initramfs, probably some configuration files and maybe some udev rules.
Including how to use an identity stored somewhere like
pass, and generating a new key pair and doing something with the recipient line. We already have an example for how to script sending to a GitHub user.This could also encourage
-eusage for explicit scripts, and maybe show how to use-e -i.