Passphrase can't be combined with recipient

Question

Passphrase can't be combined with recipient

mykhal opened this issue 3 years ago · comments

Currently, passphrase is obviously intended mainly for privkey storage encryption with scrypt, and cannot be combined with recipient key.

I understand there's a "passphrase distribution" problem (also some usability problem), however, the peers might already have prenegotiated some. It would be nice if age had a feature similar to wireguard PSK. (From normal user standpoint, it might not be clear why recipient + passphrase combination is "forbidden", it should maybe be just discouraged.)

Michal Bozon · Answer 1 · Fri Jun 25 2021 14:57:18 GMT+0800 (China Standard Time)

(Sorry for accidental closing, acute slight sleep/coffe insufficiency. DELME.)

Caleb Maclennan · Answer 2 · Fri Jun 25 2021 16:51:37 GMT+0800 (China Standard Time)

Excuse me if I'm not understanding your use case, but wouldn't that just be encrypting the same thing twice? Or are you expecting a multiple-recipients type feature that allows either the passphrase or recipient's key to unlock?

Michal Bozon · Answer 3 · Fri Jun 25 2021 17:11:46 GMT+0800 (China Standard Time)

Could be said a) "encrypting twice"; I was meaning additional layer of security with secret "symmetric key" (derived from passphrase, or set directly), for the same single recipient, but maybe different per file/message, if it's useful to do so.

Michal Bozon · Answer 4 · Fri Jun 25 2021 17:29:48 GMT+0800 (China Standard Time)

.. I've already meant WireGuard, which has optional PresharedKey in addition to PublicKey

# wg
interface: wg0
  public key: TPgxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFlo=
  private key: (hidden)
  ...

peer: dXKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxqkc=
  allowed ips: xxx.xxx.xxx.xxx/32
  ...

peer: jOWxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxlDM=
  preshared key: (hidden)
  allowed ips: xxx.xxx.xxx.xxx/32
  ...

...