Skip to content

Instantly share code, notes, and snippets.

@chrisswanda

chrisswanda/age_encryption_scripts.md

Last active September 12, 2023 02:05
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save chrisswanda/bc537f87df7ab958773b3dab2d8f1f44 to your computer and use it in GitHub Desktop.
Save chrisswanda/bc537f87df7ab958773b3dab2d8f1f44 to your computer and use it in GitHub Desktop.
Download ZIP
Age encryption scripts
Raw
age_encryption_scripts.md

I've slowly been converting various processes and encryption schemes over to age, versus using PGP to store encrypted data at rest and sending of encrypted payloads to other users/machines.

If you are not familiar with age, see the specs here -> https://github.com/C2SP/C2SP/blob/main/age.md

And the current project in GitHub -> https://github.com/FiloSottile/age

Man page - https://htmlpreview.github.io/?https://github.com/FiloSottile/age/blob/master/doc/age.1.html

Since version 1.0.0 is out and is considered release, hopefully we will start seeing some cool projects using age for encryption, and hopefully some mobile apps, slick UIs, etc... will soon follow.

For my purposes, here is how I have age setup for me and some scripts for my day to day usage:

First create a password protected key:

    age-keygen | age -p > ~/.config/age/username.priv.key

    Public key: age16wm8r7a6hzghjcqpze4302jwthvwrux46ud78zj9fsjn4c9eyp3qljm0gn
    Enter passphrase (leave empty to autogenerate a secure one): xxxxxxxx
    Confirm passphrase: xxxxxxxx

I take the output of my public key and put it into a file named username.pub.key and put it in my ~/.config/age directory.

   echo "age16wm8r7a6hzghjcqpze4302jwthvwrux46ud78zj9fsjn4c9eyp3qljm0gn" > ~/.config/age/username.pub.key

And I throw both of them into my ~/.config/age directory so that I can sync it through my self hosted git repo, so my other machines have the same password protected credentials.

################## AGE Encrypt ###################

#!/bin/bash

export pub_key=$(cat ~/.config/age/username.pub.key)

read -ep "Enter input file name > "  input

if [ -f $input ] ; then
    case $input in
        *.age)  echo "'$input' is not a valid file" ;;
        *)  read -ep "Enter output file name with .age extension > " output  ;;

    esac

else
        echo "'$input' is not a valid file"
        exit
fi

age -o $output -r $pub_key $input

################## AGE Decrypt ###################

#!/bin/bash

export priv_key=(~/.config/age/username.priv.key)

read -ep "Enter encrypted .age file > " input

if [ -f $input ] ; then
    case $input in
        *.age)  read -ep "Enter output file name > " output ;;
        *)     echo "'$input' is not a valid file" ;;

    esac

else
        echo "'$input' is not a valid file"
        exit
fi

age -d $priv_key | age -d -i - -o $output $input

##################################################

age -d $priv_key | age -d -i - -o $output $input

This above script has the - to read from standard INPUT as per the man page.


d. "-", causing one of the options above to be read from standard input. In this case, the INPUT 
argument must be specified.

##################################################

Lately I have just been dropping these functions in my ~/.bash_profile so I don't have to mess with making sure I have my scripts directory in my $PATH.

age_encrypt()
{
pub_key=$(cat ~/.config/age/chrisswanda.pub.age)
if [ -f $1 ] ; then
    case $1 in
    *.age)  echo "'$1' is not a valid file" && return 1 ;;
    *) age -o $1.age -r $pub_key $1 ;;
    esac

fi
}

age_decrypt()
{
priv_key=(~/.config/age/chrisswanda.priv.age)

if [ -f $1 ] ; then
    case $1 in
    *.age) output=$(echo $1 | sed "s/\.age//") ;;
    *)  echo "'$1' is not a valid file" && return 1 ;;
    esac
fi
age -d -i $priv_key $1 > $output
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment