Open FiloSottile opened 3 years ago
This can also mention that we don't support scripting passphrases and offer alternatives, like a passphrase-encrypted identity file.
pass
Generate an age identity and store it directly to pass
:
$ age-keygen | pass insert -m "age-key"
Public key: age1234[...]
Enter contents of age-key and press Ctrl+D when finished:
$ # note that the above terminates automatically
Encrypt and decrypt ~/data
using this identity by reading it from stdin:
pass "age-key" | age -e -i - data > data.age
pass "age-key" | age -d -i - data.age > data.decrypted
Recreate public key to share as recipient line:
pass "age-key" | age-keygen -y
age1234[...]
I needed a way to decrypt an age-encrypted identity file. I had quite a hard time doing that in python without user input, i ended up using expect
or the python package pexpect
.
import pexpect
pexpect.run('/path/to/age -d /path/to/age.key', events={'Enter passphrase:': 'SomePassword\n'})
Otherwise fiddling with /dev/tty
and file descriptors in python sub-processes seemed even more involved.
I want to use age to decrypt a file in an initramfs, where /dev/tty is not available.
could not read passphrase: open /dev/tty: no such file or address
I also thought about using expect, but I dont want to pack it in the initramfs. Using a pipe or anything does not work. Are there other ways than to use expect?
@FiloSottile
If I remove /dev/tty
, age works just fine. I don't really know why age is not able to open it, since neiter lsof
nor fuser
say, that it is already opened by another program.
I just checked readPassphrase
and if it can stat /dev/tty
but not open it, it will return an error.
Is there a reason to not go to the else block in this case?
If not, I am happy to provide a patch and test it.
I'm also interested in using age in the initram, in combination with a yubikey, to decrypt a luks partition. https://github.com/str4d/age-plugin-yubikey/issues/157 As far as age is concerned, is this doable? My script would be a hook in the initram of choice, e.g. tinyramfs.
I use it in a initramfs with dracat and mkinitcpio, it works just fine: https://gitlab.com/cryptographic_id/cryptographic-id-rs/-/blob/main/usr/lib/cryptographic_id/show_identities?ref_type=heads#L27 My problem got fixed here: https://github.com/FiloSottile/age/commit/ac31f5c9356f42c3ec76440bff74ae4bac9de794
Thanks, that's useful. Do you foresee any obstructions to use a yubikey (with the age plugin) instead of tpm?
@dkwo No big ones, but I have no experience with yubikey in initramfs. You need the device drivers in the initramfs, probably some configuration files and maybe some udev rules.
Including how to use an identity stored somewhere like
pass
, and generating a new key pair and doing something with the recipient line. We already have an example for how to script sending to a GitHub user.This could also encourage
-e
usage for explicit scripts, and maybe show how to use-e -i
.