age-plugin-se Passage?

Can the README give sample commands to set up passage with age-plugin-se?

Jan 23 '25 21:01 huyz

This is what I seem to have figured out so far. I think this works—I guess there is no need for "armor".

❯ age-plugin-se keygen --access-control=any-biometry-or-passcode -o ~/.age/passage.key-se.age
Public key: age1se1qv3z7fv3puagp039udc5lymlpnta7fjm6c86992xlnpg84kt7glsgv73ksl
❯ mkdir -p ~/.passage/store
❯ <~/.age/passage.key-se.age >>! ~/.passage/identities
❯ <~/.age/passage.key-se.age age-plugin-se recipients >>! ~/.passage/store/.age-recipients
❯ chmod -R go-rwx ~/.passage

Jan 24 '25 14:01 huyz

@huyz On first sight, that looks correct.

I suggest you also create a regular age key as a backup, and add the recipient to .age-recipients (and re-encrypt whatever you already encrypted). In case your machine breaks, or you lose access, or you want to access your secrets from another machine.

I'll look into adding a tutorial in the README.

Jan 24 '25 14:01 remko

Great suggestion!

Jan 24 '25 14:01 huyz

Hmm it seems that in the ~/.passage/identities file, we can't mix-and-match armored regular age keys and age keys protected by age-plugin-se. Either one will work, but not both in the same file—just won't parse

Jan 24 '25 18:01 huyz

You typically don’t need multiple identities, as these are only used for decryption, and you should have enough with only your age-plugin-se private key set as an identity. As long as you encrypt to multiple recipients.

If you have different .age-recipient files with different combinations of keys, this may be an issue. There’s a ticket (with a PR) for this: https://github.com/FiloSottile/passage/issues/51

Jan 24 '25 18:01 remko

See the README for a guide on using this plugin with passage.

Jul 15 '25 07:07 remko