I made some minor modifications to the age
tool so that I could invoke its decrypt
method from a non-tty environment (like from within emacs). I am currently using age
to encrypt my org-mode
notes, and I have provided some emacs lisp functions below that I use to decrypt/encrypt within memory.
Encryption was simple: simply pipe the current buffer into age -a -r PUBKEY
and then replace the current buffer with the output.
Decryption was a bit more difficult, as I need to specify the private key. However, I don't want to keep my private key file decrypted on my filesystem, and I can't specify a passphrase to the age
cli from within emacs (as there is no tty), so I decided to modify age
to optionally accept structured data (json) from stdin. This can be specified using age
's new -k
option.
The structured data currently expects the structure:
{
"keys": ["KEY_1", "KEY_2"],
"data": "BASE64_ENCODED_ENCRYPTED_DATA"
}
When the -k
option is specified, age
will expect this kind of structured data from its input.
Now personally, In my .emacs.d/init.el
file I've defined these emacs lisp functions:
(defun encrypt-age (pubkey)
(interactive "sPubkey:")
(shell-command-on-region
(point-min)
(point-max)
(concat "age -a -r " pubkey)
(current-buffer)
t
"*Enc Error Buffer*"
t))
(defun encrypt-age-my-key ()
(interactive)
(shell-command-on-region
(point-min)
(point-max)
(concat "age -a -r age18hsrm9vzj9nw7um46x4v6hz4f3xd35l5nwa4p6dvn4zc64m4d4wsws6a78")
(current-buffer)
t
"*Enc Error Buffer*"
t))
(defun b64-encode ()
(copy-to-buffer "*b64buffer*" (point-min) (point-max))
(with-current-buffer "*b64buffer*"
(shell-command-on-region
(point-min)
(point-max)
(concat "base64 --wrap=0")
(current-buffer)
t
"*B64 Error Buffer*"
t)))
(defun decrypt-age (privatekey)
(interactive "sPrivateKey:")
(b64-encode)
(generate-new-buffer "*decryptBuffer*")
(with-current-buffer "*decryptBuffer*"
(insert "{\"keys\":[\"")
(insert privatekey)
(insert "\"], \"data\":\"")
(with-current-buffer "*b64buffer*"
(append-to-buffer "*decryptBuffer*" (point-min) (point-max)))
(insert "\"}")
(shell-command-on-region
(point-min)
(point-max)
"age -d -k"
(current-buffer)
t
"*Dec Error Buffer*"
t))
(erase-buffer)
(insert-buffer "*decryptBuffer*")
(kill-buffer "*decryptBuffer*")
(kill-buffer "*b64buffer*"))
; need private key to not be written to command line, so therefore the json needs to be constructed in emacs before written to pipe!
; create buffer 1 by taking current buffer and base64 encoding it
; create buffer 2 -> add intro text -> add key -> insert buffer 1 -> append end text -> pipe to age
(setq make-backup-files nil) ; I think this tells emacs to not temporarily save buffers to disks. Not good for the kind of promise I want!
(global-set-key (kbd "C-x e") 'encrypt-age-my-key)
(global-set-key (kbd "C-x d") 'decrypt-age)
I haven't written many emacs lisp functions before, so definitely file an issue if you have some ideas as to how this could use some improvement :)
Also, if you end up using something like this, you will probably want to change that public key hard-coded in encrypt-age-my-key
to one of your own!
In the end, this satisfies my requirements, which are:
- No need to keep an
age
private key decrypted somewhere in a file - Not passing an
age
private key through a command line parameter, which is visible to processes on the system - Make it possible for emacs (or other tools) to open an encrypted file, decrypt the file in memory, make edits to the file in memory, and then re-encrypt the file before writing the file out to disk again
age is a simple, modern and secure file encryption tool, format, and Go library.
It features small explicit keys, no config options, and UNIX-style composability.
$ age-keygen -o key.txt
Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
$ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
$ age --decrypt -i key.txt data.tar.gz.age > data.tar.gz
The format specification is at age-encryption.org/v1. age was designed by @Benjojo12 and @FiloSottile.
An alternative interoperable Rust implementation is available at github.com/str4d/rage.
The author pronounces it [aɡe̞]
, like the Italian “aghe”.
For the full documentation, read the age(1) man page.
Usage:
age [--encrypt] (-r RECIPIENT | -R PATH)... [--armor] [-o OUTPUT] [INPUT]
age [--encrypt] --passphrase [--armor] [-o OUTPUT] [INPUT]
age --decrypt [-i PATH]... [-o OUTPUT] [INPUT]
Options:
-e, --encrypt Encrypt the input to the output. Default if omitted.
-d, --decrypt Decrypt the input to the output.
-o, --output OUTPUT Write the result to the file at path OUTPUT.
-a, --armor Encrypt to a PEM encoded format.
-p, --passphrase Encrypt with a passphrase.
-r, --recipient RECIPIENT Encrypt to the specified RECIPIENT. Can be repeated.
-R, --recipients-file PATH Encrypt to recipients listed at PATH. Can be repeated.
-i, --identity PATH Use the identity file at PATH. Can be repeated.
INPUT defaults to standard input, and OUTPUT defaults to standard output.
If OUTPUT exists, it will be overwritten.
RECIPIENT can be an age public key generated by age-keygen ("age1...")
or an SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").
Recipient files contain one or more recipients, one per line. Empty lines
and lines starting with "#" are ignored as comments. "-" may be used to
read recipients from standard input.
Identity files contain one or more secret keys ("AGE-SECRET-KEY-1..."),
one per line, or an SSH key. Empty lines and lines starting with "#" are
ignored as comments. Passphrase encrypted age files can be used as
identity files. Multiple key files can be provided, and any unused ones
will be ignored. "-" may be used to read identities from standard input.
When --encrypt is specified explicitly, -i can also be used to encrypt to an
identity file symmetrically, instead or in addition to normal recipients.
Files can be encrypted to multiple recipients by repeating -r/--recipient
. Every recipient will be able to decrypt the file.
$ age -o example.jpg.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
-r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example.jpg
Multiple recipients can also be listed one per line in one or more files passed with the -R/--recipients-file
flag.
$ cat recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
$ age -R recipients.txt example.jpg > example.jpg.age
If the argument to -R
(or -i
) is -
, the file is read from standard input.
Files can be encrypted with a passphrase by using -p/--passphrase
. By default age will automatically generate a secure passphrase. Passphrase protected files are automatically detected at decrypt time.
$ age -p secrets.txt > secrets.txt.age
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
$ age -d secrets.txt.age > secrets.txt
Enter passphrase:
If an identity file passed to -i
is a passphrase encrypted age file, it will be automatically decrypted.
$ age-keygen | age -p > key.age
Public key: age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "hip-roast-boring-snake-mention-east-wasp-honey-input-actress".
$ age -r age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5 secrets.txt > secrets.txt.age
$ age -d -i key.age secrets.txt.age > secrets.txt
Enter passphrase for identity file "key.age":
Passphrase-protected identity files are not necessary for most use cases, where access to the encrypted identity file implies access to the whole system. However, they can be useful if the identity file is stored remotely.
As a convenience feature, age also supports encrypting to ssh-rsa
and ssh-ed25519
SSH public keys, and decrypting with the respective private key file. (ssh-agent
is not supported.)
$ age -R ~/.ssh/id_ed25519.pub example.jpg > example.jpg.age
$ age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg
Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.
Combining SSH key support and -R
, you can easily encrypt a file to the SSH keys listed on a GitHub profile.
$ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.age
Keep in mind that people might not protect SSH keys long-term, since they are revokable when used only for authentication, and that SSH keys held on YubiKeys can't be used to decrypt files.
Homebrew (macOS or Linux) |
brew install age
|
MacPorts |
port install age
|
Ubuntu 21.04+ |
apt install age
|
Debian 11+ (Bullseye) |
apt install age
|
Arch Linux |
pacman -S age
|
Fedora 33+ |
dnf install age
|
OpenBSD 6.7+ |
pkg_add age (security/age)
|
FreeBSD |
pkg install age (security/age)
|
NixOS / Nix |
nix-env -i age
|
Gentoo Linux |
emerge app-crypt/age
|
Void Linux |
xbps-install age
|
Chocolatey (Windows) |
choco install age.portable
|
On Windows, Linux, macOS, and FreeBSD you can use the pre-built binaries.
https://dl.github.com/johnkord/age/latest?for=linux/amd64
https://dl.github.com/johnkord/age/v1.0.0-rc.1?for=darwin/arm64
...
If your system has a supported version of Go, you can build from source.
go install github.com/johnkord/age/cmd/...@latest
Help from new packagers is very welcome.
age's People
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.