Add scripting examples

[FiloSottile]

Including how to use an identity stored somewhere like pass, and generating a new key pair and doing something with the recipient line. We already have an example for how to script sending to a GitHub user.

This could also encourage -e usage for explicit scripts, and maybe show how to use -e -i.

[FiloSottile]

This can also mention that we don't support scripting passphrases and offer alternatives, like a passphrase-encrypted identity file.

[puenka]

Examples for password manager pass

Generate an age identity and store it directly to pass:

$ age-keygen | pass insert -m "age-key"
Public key: age1234[...]
Enter contents of age-key and press Ctrl+D when finished:

$ # note that the above terminates automatically

Encrypt and decrypt ~/data using this identity by reading it from stdin:

pass "age-key" | age -e -i - data > data.age
pass "age-key" | age -d -i - data.age > data.decrypted

Recreate public key to share as recipient line:

pass "age-key" | age-keygen -y
age1234[...]

[dani-CO-CN]

I needed a way to decrypt an age-encrypted identity file. I had quite a hard time doing that in python without user input, i ended up using expect or the python package pexpect.

import pexpect
pexpect.run('/path/to/age -d /path/to/age.key', events={'Enter passphrase:': 'SomePassword\n'})

Otherwise fiddling with /dev/tty and file descriptors in python sub-processes seemed even more involved.

[brandsimon]

I want to use age to decrypt a file in an initramfs, where /dev/tty is not available.

could not read passphrase: open /dev/tty: no such file or address

I also thought about using expect, but I dont want to pack it in the initramfs. Using a pipe or anything does not work.
Are there other ways than to use expect?

[brandsimon]

@FiloSottile
If I remove /dev/tty, age works just fine. I don't really know why age is not able to open it, since neiter lsof nor fuser say, that it is already opened by another program.

I just checked readPassphrase and if it can stat /dev/tty but not open it, it will return an error.
Is there a reason to not go to the else block in this case?
If not, I am happy to provide a patch and test it.

[dkwo]

I'm also interested in using age in the initram, in combination with a yubikey, to decrypt a luks partition.
str4d/age-plugin-yubikey#157
As far as age is concerned, is this doable?
My script would be a hook in the initram of choice, e.g. tinyramfs.

[brandsimon]

I use it in a initramfs with dracat and mkinitcpio, it works just fine: https://gitlab.com/cryptographic_id/cryptographic-id-rs/-/blob/main/usr/lib/cryptographic_id/show_identities?ref_type=heads#L27
My problem got fixed here: ac31f5c

[dkwo]

Thanks, that's useful. Do you foresee any obstructions to use a yubikey (with the age plugin) instead of tpm?

[brandsimon]

@dkwo No big ones, but I have no experience with yubikey in initramfs. You need the device drivers in the initramfs, probably some configuration files and maybe some udev rules.