FiloSottile / age

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

Home Page:https://age-encryption.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Decrypt not working with my setup

orolhawion opened this issue · comments

Environment

  • OS: MacOS 11 (Big Sur)
  • age version: 1.0.0.rc1

What were you trying to do

I tried to decrypt a previously encrypted txt file.

What happened

An error was displayed: Error: no identity matched any of the recipients

More Details

I might explain my setup which may be the issue itself:

For encryption I derived the ssh public key from my pgp key (RSA4096) which is located on my YubiKey 5, hence I do not have a private key file on the file system as the doc suggests.

I read that ssh-agent is not supported, however I am running gpg-agent, which also may not be supported. I just thought I would have a use case here.

Could be related to #137

$ age -R ~/.ssh/id_rsa.pub plain.txt > plain.txt.age

$ cat plain.txt.age 
age-encryption.org/v1
-> ssh-rsa 7nXROQ
[...]
--- Nsc+ERH0H8DWzgNYMCxRdndI1KBX9+sFMsRUO7JKEB4
σ????
V??v\?'A??ۡ>Iv??? ?%                                                                                                                                                                                                                                                                                                                          

$ age -d plain.txt.age > plain.txt.age.decrypted
Error: no identity matched any of the recipients
[ Did age not do what you expected? Could an error be more useful? Tell us: https://filippo.io/age/report ]

For encryption I derived the ssh public key from my pgp key (RSA4096) which is located on my YubiKey 5, hence I do not have a private key file on the file system as the doc suggests.

Yeah unfortunately SSH keys are only supported when available as a file. It's technically impossible to support them through the standard ssh-agent protocol. It might technically be possible to bypass the ssh-agent and use gpg-agent to do a decryption with the authentication key, if the OpenPGP applet allows that. However, we'd rather make the YubiKey plugin work very well and recommend using that rather than SSH keys for YubiKey compatibility.

commented

Yeah unfortunately SSH keys are only supported when available as a file. It's technically impossible to support them through the standard ssh-agent protocol. It might technically be possible to bypass the ssh-agent and use gpg-agent to do a decryption with the authentication key, if the OpenPGP applet allows that. However, we'd rather make the YubiKey plugin work very well and recommend using that rather than SSH keys for YubiKey compatibility.

Is the yubikey plugin working and ready to use? Or is that still in development?

commented

However, we'd rather make the YubiKey plugin work very well and recommend using that rather than SSH keys for YubiKey compatibility.

@FiloSottile does this imply the YubiKey plugin will require a hardware key?
i.e. no keychain / other agent based support is planned for password protected, digital keys?

This is the only usability feature that's stopping me from completely moving away from gpg.

Not as part of the YubiKey plugin, but we are thinking about encrypted keys and agents plugins. The plugin protocol is designed specifically with that in mind.