age plugin support

[flokli]

Summary

age v1.2.0 got released, exposing a plugin package providing an age plugin client:

The Go module now exposes a plugin package that provides an age plugin client. That is, Recipient and Identity implementations that invoke a plugin binary, allowing the use of age plugins in Go programs.

gopass should be able to make use of this.

Already mentioned by @dominikschulz in https://github.com/gopasspw/gopass/issues/2059:

Once age v1.1.0 comes with plugin support I'd like to support that, too. So people can use their hardware tokens (at least YubiKeys) with gopass+age.

[neuhalje]

I tried to use gopass + age with a YubiKey and failed quite miserably. Which is expected as it is not supported.

My major gripe is, that I could not understand at all is how it fits together.

E.g. after gopass recipients add age1yubikey1qfhccfklg7tc0n.... the passwords where never encryted to that key. For decryption it still asks me the password for an identities file which was enough to decrypt the password, even though I removed the initial (identities-file?) recipient before creating a new password.

Long story short: What would have helped me the most is a design document that tells me how the pieces fit together.

• how encryption in general works in gopassto would give me a mental map of it all, e.g.
  • how keys are chosen
  • where the file format is decided
  • how and where "humans" are related to "keys" (for use cases like "Peter left the team, which keys are his?")
• age format specifics
  • what information is part of the encrypted blob, what is part of a meta-database (keyring)?
  • how keys are chosen
  • how external keys (e.g. with https://github.com/str4d/age-plugin-yubikey) would fit in

What I can contribute is to write that documentation iff someone tells me what to put in