age icon indicating copy to clipboard operation
age copied to clipboard
verified publisher icon FiloSottile

Add scripting examples

Open FiloSottile opened this issue 4 years ago • 9 comments

Including how to use an identity stored somewhere like pass, and generating a new key pair and doing something with the recipient line. We already have an example for how to script sending to a GitHub user.

This could also encourage -e usage for explicit scripts, and maybe show how to use -e -i.

FiloSottile avatar Jun 02 '21 11:06 FiloSottile

This can also mention that we don't support scripting passphrases and offer alternatives, like a passphrase-encrypted identity file.

FiloSottile avatar Jun 06 '21 11:06 FiloSottile

Examples for password manager pass

Generate an age identity and store it directly to pass:

$ age-keygen | pass insert -m "age-key"
Public key: age1234[...]
Enter contents of age-key and press Ctrl+D when finished:

$ # note that the above terminates automatically

Encrypt and decrypt ~/data using this identity by reading it from stdin:

pass "age-key" | age -e -i - data > data.age
pass "age-key" | age -d -i - data.age > data.decrypted

Recreate public key to share as recipient line:

pass "age-key" | age-keygen -y
age1234[...]

puenka avatar Oct 21 '21 07:10 puenka

I needed a way to decrypt an age-encrypted identity file. I had quite a hard time doing that in python without user input, i ended up using expect or the python package pexpect.

import pexpect
pexpect.run('/path/to/age -d /path/to/age.key', events={'Enter passphrase:': 'SomePassword\n'})

Otherwise fiddling with /dev/tty and file descriptors in python sub-processes seemed even more involved.

dani-CO-CN avatar Feb 16 '22 14:02 dani-CO-CN

I want to use age to decrypt a file in an initramfs, where /dev/tty is not available.

could not read passphrase: open /dev/tty: no such file or address

I also thought about using expect, but I dont want to pack it in the initramfs. Using a pipe or anything does not work. Are there other ways than to use expect?

brandsimon avatar May 03 '22 00:05 brandsimon

@FiloSottile If I remove /dev/tty, age works just fine. I don't really know why age is not able to open it, since neiter lsof nor fuser say, that it is already opened by another program.

I just checked readPassphrase and if it can stat /dev/tty but not open it, it will return an error. Is there a reason to not go to the else block in this case? If not, I am happy to provide a patch and test it.

brandsimon avatar May 03 '22 17:05 brandsimon

I'm also interested in using age in the initram, in combination with a yubikey, to decrypt a luks partition. https://github.com/str4d/age-plugin-yubikey/issues/157 As far as age is concerned, is this doable? My script would be a hook in the initram of choice, e.g. tinyramfs.

dkwo avatar Jan 06 '24 11:01 dkwo

I use it in a initramfs with dracat and mkinitcpio, it works just fine: https://gitlab.com/cryptographic_id/cryptographic-id-rs/-/blob/main/usr/lib/cryptographic_id/show_identities?ref_type=heads#L27 My problem got fixed here: https://github.com/FiloSottile/age/commit/ac31f5c9356f42c3ec76440bff74ae4bac9de794

brandsimon avatar Jan 07 '24 00:01 brandsimon

Thanks, that's useful. Do you foresee any obstructions to use a yubikey (with the age plugin) instead of tpm?

dkwo avatar Jan 07 '24 13:01 dkwo

@dkwo No big ones, but I have no experience with yubikey in initramfs. You need the device drivers in the initramfs, probably some configuration files and maybe some udev rules.

brandsimon avatar Jan 09 '24 00:01 brandsimon