mirrors/age
1
0
Fork 0
mirror of https://github.com/FiloSottile/age.git synced 2025-12-23 05:25:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

doc: document plugins in age(1)

Browse Source
This commit is contained in:
Filippo Valsorda
2021-12-26 14:25:39 +01:00
parent 87a982b72e
commit fbe51d501c
1 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
doc/age.1.ronn
View File

@@ -173,6 +173,31 @@ An encrypted file _can_ be linked to the SSH public key it was encrypted to.
This is so that `age` can identify the correct SSH private key before
requesting its password, if any.
### Plugins
`age` can be extended through plugins. A plugin is only loaded if a corresponding
`RECIPIENT` or `IDENTITY` is specified. (Simply decrypting a file encrypted with
a plugin will not cause it to load, for security reasons among others.)
A `RECIPIENT` for a plugin named `example` starts with `age1example1`, while an
`IDENTITY` starts with `AGE-PLUGIN-EXAMPLE-1`. They both encode arbitrary
plugin-specific data, and are generated by the plugin.
When either is specified, `age` searches for `age-plugin-example` in the PATH
and executes it to perform the file header encryption or decryption. The plugin
may request input from the user through `age` to complete the operation.
Plugins can be freely mixed with other plugins or natively supported keys.
A plugin is not bound to only encrypt or decrypt files meant for or generated by
the plugin. For example, a plugin can be used to decrypt files encrypted to a
native X25519 `RECIPIENT` or even with a passphrase. Similarly, a plugin can
encrypt a file such that it can be decrypted without the use of any plugin.
Plugins for which the `IDENTITY`/`RECIPIENT` distinction doesn't make sense may
generate only an `IDENTITY` and instruct the user to perform encryption with the
`-e`/`--encrypt` and `-i`/`--identity` flags.
## EXIT STATUS
`age` will exit 0 if and only if encryption or decryption are successful for the
@@ -244,6 +269,14 @@ Encrypt and decrypt with an SSH public key:
$ age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg
Encrypt and decrypt with age-plugin-yubikey:
$ age-plugin-yubikey # run interactive setup, generate identity file and obtain recipient
$ age -r age1yubikey1qwt50d05nh5vutpdzmlg5wn80xq5negm4uj9ghv0snvdd3yysf5yw3rhl3t secrets.txt > secrets.txt.age
$ age -d -i age-yubikey-identity-388178f3.txt secrets.txt.age
Encrypt to the SSH keys of a GitHub user:
$ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.age