README
¶
1Password Plugin for age
age-plugin-1p is a plugin for age clients like age
and rage which allows you to use SSH keys stored inside 1Password.
Differences with age-plugin-op
- Uses SSH public keys (e.g.
ssh-ed25519 AAAAC3N...) asagerecipients - Does not require the plugin or 1Password for encryption
- Supports decryption without identity files (
age --decrypt -j 1p)
Requirements
- 1Password CLI
- An age client such as age or rage
Testing
To use age-plugin-1p without installation, you can run age through Nix to provide the plugin:
$ nix run github:Enzime/age-plugin-1p#age
The actual plugin is available as:
$ nix run github:Enzime/age-plugin-1p
Or you can enter a shell environment that provides both age and age-plugin-1p:
$ nix shell github:Enzime/age-plugin-1p
Installation
You can build the age-plugin-1p binary using Nix:
$ nix build github:Enzime/age-plugin-1p
Which can then be copied or symlinked to your PATH
Usage
- List all the public keys in OpenSSH's
authorized_keyformat:
$ age-plugin-1p --print-recipients
op://Personal/SSH key/public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE
- Encrypt file with SSH public key:
$ echo 'Hello, world!' | age -r "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKZfejb9htpSB5K9p0RuEowErkba2BMKaze93ZVkQIE" -o secret.age
You can replace the recipient with "$(op read "op://Personal/SSH key/public key")" when encrypting files for yourself.
- Decrypt file with 1Password:
age-plugin-1p can automatically find the correct SSH key for decryption if you specify -j 1p:
$ age --decrypt -j 1p -o - secret.age
Hello, world!
Supported SSH Key Types
Only Ed25519 and RSA keys are supported since these are the only types supported by 1Password and age.
Inspiration
This plugin is a spiritual successor of age-plugin-op, where it shares a little code, however the majority of code comes from age-plugin-tpm as it uses the new experimental plugin framework.
Directories