From 5ee9ddf325374d81e1b4833c8fa9065d4f7ff6ab Mon Sep 17 00:00:00 2001
From: Felicitas Pojtinger <felicitas@pojtinger.com>
Date: Sat, 4 Dec 2021 00:27:24 +0100
Subject: [PATCH] feat: Add support for password-protected age keys

---
 cmd/stbak/cmd/recovery_fetch.go | 38 +++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/cmd/stbak/cmd/recovery_fetch.go b/cmd/stbak/cmd/recovery_fetch.go
index 383d7da..8be2a39 100644
--- a/cmd/stbak/cmd/recovery_fetch.go
+++ b/cmd/stbak/cmd/recovery_fetch.go
@@ -284,6 +284,25 @@ func decryptString(
 ) (string, error) {
 	switch encryptionFormat {
 	case encryptionFormatAgeKey:
+		if password != "" {
+			passwordIdentity, err := age.NewScryptIdentity(password)
+			if err != nil {
+				return "", err
+			}
+
+			r, err := age.Decrypt(bytes.NewBuffer(privkey), passwordIdentity)
+			if err != nil {
+				return "", err
+			}
+
+			out := &bytes.Buffer{}
+			if _, err := io.Copy(out, r); err != nil {
+				return "", err
+			}
+
+			privkey = out.Bytes()
+		}
+
 		identity, err := age.ParseX25519Identity(string(privkey))
 		if err != nil {
 			return "", err
@@ -356,6 +375,25 @@ func decrypt(
 ) (io.ReadCloser, error) {
 	switch encryptionFormat {
 	case encryptionFormatAgeKey:
+		if password != "" {
+			passwordIdentity, err := age.NewScryptIdentity(password)
+			if err != nil {
+				return nil, err
+			}
+
+			r, err := age.Decrypt(bytes.NewBuffer(privkey), passwordIdentity)
+			if err != nil {
+				return nil, err
+			}
+
+			out := &bytes.Buffer{}
+			if _, err := io.Copy(out, r); err != nil {
+				return nil, err
+			}
+
+			privkey = out.Bytes()
+		}
+
 		identity, err := age.ParseX25519Identity(string(privkey))
 		if err != nil {
 			return nil, err