Comments (9)
I, too, like to encrypt my keys most of the time, but I can also see how implementing this here would hurt the simplicity of age
. age
already provides all features to create password-secured keys ourselves (since #173 it's even easier). This is how it could work:
$ printf 'foo\n' > testdata
$ age-keygen | age -p -o mykey.age
Public key: age1j85xmnxgavcach38x4nnzu2tcmdnj7vqq2d4ffmwjsdh9flcuy9sa8agsm
Enter passphrase (leave empty to autogenerate a secure one): mysecret
Confirm passphrase: mysecret
$ age -o testdata.age -r age1j85xmnxgavcach38x4nnzu2tcmdnj7vqq2d4ffmwjsdh9flcuy9sa8agsm testdata
$ age -d mykey.age | age -d -i - testdata.age
Enter passphrase: mysecret
foo
This also has another advantage: It's easy to extract your non-password-protected key. This can be useful if you want to store it with gfshare or similar. After that, forgetting your password will not make your encrypted files useless, but it's still not easy for an attacker to steal your key.
from age.
is there a way to save output on decryption instead of STDOUT? [...] I wonder if there is a way using the
-o
flag. I tried a few combinations unsuccessfully.
Weird. Using -o
works fine for me:
age -d mykey.age | age -d -i - -o testdata.2 testdata.age
from age.
can you use the ssh-gen private key with age directly
By all means. However, when encrypting using the 'age' keys (i.e. recipients), you will need to include the public key data on the command line. As you can imagine, this can become quite cumbersome especially for keys > 1024. The spec and 'age' help screen both discuss specifying the pub key as a file but it is apparently not yet working; there is a ticket open to get it working.
That said, this does work on the decrypt side --- the private key file can be specified using the '-i' switch and if the key is PW protected, then you will be prompted for the password.
once it's an ed25519 key
Not sure what you mean here? The payload en\decryption key is not generated by the keygen app...that is still done by 'age'.
from age.
FWIW, I gen my keypairs using ssh-keygen but agreed that enhancing the age-keygen w/ encrypted private keys would be nice as long as not mandated.
from age.
@cyb3rz3us - that's a nice approach, so you get encrypted private keys, however, can you use the ssh-gen private key with age directly?
(if so I guess ok once it's an ed25519 key.
from age.
However surely that's a fundamental need, otherwise private key material sits in plaintext.
I agree.
I'm trying hard to ditch gpg for something else. One contender is opmsg, but the lack of protection for private key material puts me off:
The private part of the keys which are stored inside ~/.opmsg are NOT encrypted. It is believed that once someone gained access to your account, its all lost anyway.
I disagree with the above. No one has gained access to my system, but I do run lots of software on my system, and any one of them may try to steal private keys.
[When I first looked at age, I had planned to simply use my SSH private key, but sadly it resides on a yubikey, which can't yet be used with age. So a regular encrypted age key might be a good stepping stone until ssh-agent support is integrated. Agent support would be ideal though, as I'd only have to unlock the private key once.]
from age.
Would @FiloSottile take a PR on this? I'm happy to take a stab at it.
from age.
There's one linked above, but it seems to have stalled.
from age.
@codesoap, is there a way to save output on decryption instead of STDOUT? I know one can do:
age -d mykey.age | age -d -i - testdata.age > testdata
But I wonder if there is a way using the -o
flag. I tried a few combinations unsuccessfully.
from age.
Related Issues (20)
- Age terminates too soon on MacOS HOT 5
- Can this method be used to encrypt movie files? HOT 1
- report unexpected HOT 1
- age: error: failed to wrap key for recipient #0: test plugin: write |1: broken pipe HOT 16
- Plugin receives only one identity or recipient when there are multiple HOT 1
- failed to decrypt and authenticate payload chunk HOT 1
- Documentation bug in /README.md #encrypting-to-a-github-user HOT 2
- Support `sk-ssh` keys HOT 2
- brew install: not a tagged release HOT 1
- Specified SSH key is not eligible for claiming. Only RSA and Ed25519 keys are supported for proof generation. HOT 9
- Couldn't decrypt with that SSH key, please choose another one. HOT 1
- Couldn't decrypt with that SSH key, please choose another one. HOT 1
- Unable to claim the reward of 5000 token FLT HOT 1
- Unsupported SSH key type: ecdsa-sha2-nistp256 HOT 2
- Decryption does not create a file when data is empty HOT 1
- ssh connection to Github HOT 1
- I am the winner of the airdrop HOT 2
- unable to decrypt a proof with ssh key HOT 1
- Choco and scoop were unable to install age in windows
- Management of `Harvest Now, Decrypt Later` strategy and Post Quantum Safe Cryptography HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from age.