cmd/age: passphrase optionnaly supplied from an environment variable

[wj]

The passphrase is now read from the AGE_PASSPHRASE environment variable, as an alternative to being requested interactively.

This enables the following usage patterns:

• automation of the encryption, without having to manage an additional private key file
• provide a less error prone way of supplying a passphrase. Copy-pasting to an echo-less prompt, for example, is often hazardous on some platforms.

[ghost]

Hi,
How exactly is the env var AGE_PASSPHRASE to be supplied? I was trying age -d --AGE_PASSPHRASE but that doesn't seem to work?

Edit: Never mind, figured out.

[jc00ke]

This would be nice to see, as it would allow one to use 1Password Secret reference syntax for shared passphrases.

[gaby]

This would be great for automation/CI!

@FiloSottile

[sewnie]

#346 (comment)

[clach04]

#346 (comment)

Cross-referencing related/duplicated discussion/PR topics:

• UX: Make age take a passphrase from a non-terminal source #275 "UX: Make age take a passphrase from a non-terminal source"
  • Add --passphrase-fd option. #276 "Add --passphrase-fd option."
• Read passphrase from AGE_PASSPHRASE env var if available #346 "Read passphrase from AGE_PASSPHRASE env var if available"
• cmd/age: passphrase optionnaly supplied from an environment variable #520 "cmd/age: passphrase optionnaly supplied from an environment variable"

[clach04]

Thanks @wj 🙏 , you saved me a few hours. When I get a few minutes I'll be building this and giving it a go 😀

[clach04]

Follow up from last year, wj's code works flawlessly for my use case where I need to script encryption and decryption.

[zhuoqun-chen]

Follow up from last year, wj's code works flawlessly for my use case where I need to script encryption and decryption.

Hi @clach04, is this already usable in the latest chezmoi release?

[mirql]

There is other easy way with using "expect":

example of encryption:

#!/bin/sh

PASSPHRASE="1231234"
AGE_INPUT="flake.nix"
AGE_OUTPUT="r2.age"

expect <<EOF
log_user 0
spawn age -e -p -o "$AGE_OUTPUT" "$AGE_INPUT"
send -- "$PASSPHRASE\n"
# confirmation
send -- "$PASSPHRASE\n"
expect -- "\n"
log_user 1
expect eof
EOF

example of decryption:

#!/bin/sh

# we can read env variable here or pass it as an argument
PASSPHRASE="1231234"
AGE_FILE="r2.age"

expect <<EOF
log_user 0
spawn age -d "$AGE_FILE"
send -- "$PASSPHRASE\n"
expect -- "\n"
log_user 1
expect eof
EOF

[clach04]

chezmoi

Do you have details on this? A search yields https://github.com/twpayne/chezmoi but unclear on environment variable support, the download is substantially larger than the age download.

[clach04]

There is other easy way with using "expect":

Have you found a way to get this to run natively under Windows? A custom build has been the most simple solution I've tried so far.

[mirql]

There is other easy way with using "expect":

Have you found a way to get this to run natively under Windows? A custom build has been the most simple solution I've tried so far.

nope not tried, dont have windows machines in my inventory

[omniproc]

Any plans to make this into a age plugin now that plugin support is here?
It has been stated that this won't be merged into age and instead should make it into a plugin.

[clach04]

Any plans to make this into a age plugin now that plugin support is here? It has been stated that this won't be merged into age and instead should make it into a plugin.

Based on #256 (reply in thread) it doesn't look like the plugin architecture as implemented today allows that to be implemented 😢 , @FiloSottile please reply if this is incorrect.

[FiloSottile]

I have implemented this as the batchpass plugin. See #256 (comment) for usage and a warning.