doc: regenerate groff and html man pages

doc/age-plugin-batchpass.1

@@ -7,10 +7,46 @@
 \fBage\fR \fB\-e\fR \fB\-j\fR \fBbatchpass\fR
 .br
 \fBage\fR \fB\-d\fR \fB\-j\fR \fBbatchpass\fR
+.br
 .SH "DESCRIPTION"
 \fBage\-plugin\-batchpass\fR is an age(1) plugin that enables non\-interactive passphrase\-based encryption and decryption using environment variables\.
+.SH "WARNING"
+This functionality is not built into the age CLI because most applications should use native keys instead of scripting passphrase\-based encryption\.
 .P
-It is not built into the age CLI because most applications should use native keys instead of scripting passphrase\-based encryption\.
+Humans are notoriously bad at remembering and generating strong passphrases\. age uses scrypt to partially mitigate this, which is necessarily very slow\.
+.P
+If a computer will be doing the remembering anyway, you can and should use native keys instead\. There is no need to manage separate public and private keys, you encrypt directly to the private key:
+.IP "" 4
+.nf
+$ age\-keygen \-o key\.txt
+$ age \-e \-i key\.txt file\.txt > file\.txt\.age
+$ age \-d \-i key\.txt file\.txt\.age > file\.txt
+.fi
+.IP "" 0
+.P
+Likewise, you can store a native identity string in an environment variable or through your CI secrets manager and use it to encrypt and decrypt files non\-interactively:
+.IP "" 4
+.nf
+$ export AGE_SECRET=$(age\-keygen)
+$ age \-e \-i <(echo "$AGE_SECRET") file\.txt > file\.txt\.age
+$ age \-d \-i <(echo "$AGE_SECRET") file\.txt\.age > file\.txt
+.fi
+.IP "" 0
+.P
+The age CLI also natively supports passphrase\-encrypted identity files, so you can use that functionality to non\-interactively encrypt multiple files such that you will be able to decrypt them later by entering the same passphrase:
+.IP "" 4
+.nf
+$ age\-keygen \-pq | age \-p \-o encrypted\-identity\.txt
+Public key: age1pq1cd[\|\.\|\.\|\. 1950 more characters \|\.\|\.\|\.]
+Enter passphrase (leave empty to autogenerate a secure one):
+age: using autogenerated passphrase "eternal\-erase\-keen\-suffer\-fog\-exclude\-huge\-scorpion\-escape\-scrub"
+$ age \-r age1pq1cd[\|\.\|\.\|\. 1950 more characters \|\.\|\.\|\.] file\.txt > file\.txt\.age
+$ age \-d \-i encrypted\-identity\.txt file\.txt\.age > file\.txt
+Enter passphrase for identity file "encrypted\-identity\.txt":
+.fi
+.IP "" 0
+.P
+Finally, when using this plugin care should be taken not to let the password be persisted in the shell history or leaked to other users on multi\-user systems\.
 .SH "ENVIRONMENT"
 .TP
 \fBAGE_PASSPHRASE\fR

doc/age-plugin-batchpass.1.html

@@ -56,6 +56,7 @@
     <a href="#NAME">NAME</a>
     <a href="#SYNOPSIS">SYNOPSIS</a>
     <a href="#DESCRIPTION">DESCRIPTION</a>
+    <a href="#WARNING">WARNING</a>
     <a href="#ENVIRONMENT">ENVIRONMENT</a>
     <a href="#EXAMPLES">EXAMPLES</a>
     <a href="#SEE-ALSO">SEE ALSO</a>
@@ -77,15 +78,54 @@
 <h2 id="SYNOPSIS">SYNOPSIS</h2>
 
 <p><code>age</code> <code>-e</code> <code>-j</code> <code>batchpass</code><br>
-<code>age</code> <code>-d</code> <code>-j</code> <code>batchpass</code></p>
+<code>age</code> <code>-d</code> <code>-j</code> <code>batchpass</code><br></p>
 
 <h2 id="DESCRIPTION">DESCRIPTION</h2>
 
 <p><code>age-plugin-batchpass</code> is an <a class="man-ref" href="age.1.html">age<span class="s">(1)</span></a> plugin that enables non-interactive
 passphrase-based encryption and decryption using environment variables.</p>
 
-<p>It is not built into the age CLI because most applications should use
-native keys instead of scripting passphrase-based encryption.</p>
+<h2 id="WARNING">WARNING</h2>
+
+<p>This functionality is not built into the age CLI because most applications
+should use native keys instead of scripting passphrase-based encryption.</p>
+
+<p>Humans are notoriously bad at remembering and generating strong passphrases.
+age uses scrypt to partially mitigate this, which is necessarily very slow.</p>
+
+<p>If a computer will be doing the remembering anyway, you can and should use
+native keys instead. There is no need to manage separate public and private
+keys, you encrypt directly to the private key:</p>
+
+<pre><code>$ age-keygen -o key.txt
+$ age -e -i key.txt file.txt &gt; file.txt.age
+$ age -d -i key.txt file.txt.age &gt; file.txt
+</code></pre>
+
+<p>Likewise, you can store a native identity string in an environment variable
+or through your CI secrets manager and use it to encrypt and decrypt files
+non-interactively:</p>
+
+<pre><code>$ export AGE_SECRET=$(age-keygen)
+$ age -e -i &lt;(echo "$AGE_SECRET") file.txt &gt; file.txt.age
+$ age -d -i &lt;(echo "$AGE_SECRET") file.txt.age &gt; file.txt
+</code></pre>
+
+<p>The age CLI also natively supports passphrase-encrypted identity files, so you
+can use that functionality to non-interactively encrypt multiple files such that
+you will be able to decrypt them later by entering the same passphrase:</p>
+
+<pre><code>$ age-keygen -pq | age -p -o encrypted-identity.txt
+Public key: age1pq1cd[... 1950 more characters ...]
+Enter passphrase (leave empty to autogenerate a secure one):
+age: using autogenerated passphrase "eternal-erase-keen-suffer-fog-exclude-huge-scorpion-escape-scrub"
+$ age -r age1pq1cd[... 1950 more characters ...] file.txt &gt; file.txt.age
+$ age -d -i encrypted-identity.txt file.txt.age &gt; file.txt
+Enter passphrase for identity file "encrypted-identity.txt":
+</code></pre>
+
+<p>Finally, when using this plugin care should be taken not to let the password be
+persisted in the shell history or leaked to other users on multi-user systems.</p>
 
 <h2 id="ENVIRONMENT">ENVIRONMENT</h2>