Age based repository file encryption gitops tool

agebox

agebox

CI Go Report Card Apache 2 licensed

Easy and simple file repository encryption tool based on Age.

Have you ever though "this should be simple" while you were using tools like Blackbox , Git-crypt or Sops? This is what agebox is. A tool on top of Age's security system that encrypts/decrypts your repository files, focused on simplicity and gitops.

Features

  • Secure (Agebox delegates security to Age).
  • Tracks encrypted files in repository.
  • No PGP and no agents, just simple SSH and Age key files.
  • File flexibility (encrypts/decrypts recursive paths, multiple/single files, all tracked files...).
  • Reencrypts all tracked files with a single command.
  • Focused on Gitops, CI flows and simplicity.
  • Works with any file (doesn't understand formats like JSON, YAML...).
  • Single binary/executable.
  • No side effects like VCS commands (e.g: doesn't execute Git commands for you).

Get agebox

Getting started

Initialize agebox tracking file.

agebox init

Encrypt (and track) multiple files.

agebox encrypt ./app1/secret1.yaml ./app2/secret1.yaml

Encrypt (and track) a directory in dry-run to see what would be encrypted before doing it.

agebox encrypt ./secrets --dry-run

Encrypt (and track) a directory and only (filter regex used) the secret named yaml files.

agebox encrypt ./manifests --filter ".*secret(\.yaml|\.yml)$"

Decrypt a subset of tracked secrets and a file.

agebox decrypt ./secrets/team-1 ./secrets/secret1.yaml

Decrypt only (filter regex used) team-a tracked files.

agebox decrypt ./secrets --filter ".*team-a.*"

Validate all tracked encrypted files exist and decryption is possible.

agebox decrypt --all --dry-run --force --no-log

Reencrypt all files.

agebox reencrypt

Untrack multiple files.

agebox untrack ./secrets/secret1.yaml ./secrets/secret2.yaml

Untrack and delete file.

agebox untrack ./secrets/secret1.yaml --delete

How does it work

When you initialize agebox on a repository it will create a file (.ageboxreg.yml) that will track all the encrypted files in the repository.

From now on if you encrypt files with agebox from the root of the repository it will:

  • Track the files if not already tracked.
  • Encrypt the files with the public keys in ./keys or --public-keys as recipients.
  • If is a directory it will expand to all the files in the directory and subdirectories.

As a regular flow of agebox usage examples, you can:

  • Decrypt tracked files as a single file, multiple files, a directory and its subdirectories...
  • Decrypt all tracked files (--all).
  • Reencrypt all tracked files with the public key recipients.
  • Encrypt all tracked files (--all) that are decrypted in the repository.
  • Untrack a file (and optionally delete from the file system).
  • Encrypt/decrypt in dry-run to validate (handy en CI for checking).

Check the Getting started section for specific commands.

Keys

Agebox supports the same asymmetric keys Age does:

  • X25519 (Age).
  • RSA SSH.
  • Ed25519 SSH.

Public keys

The public keys are the recipients of the encrypted files. With their respective private keys, users will be able to decrypt the files.

Public keys should be on a directory relative to the root of the repository (by default ./keys) at the moment of invoking encryption commands, this simplifies the usage of keys by not requiring pgp keys or agents.

Agebox will encrypt with the loaded public keys, this means that when we add or remove any public key we should reencrypt the tracked files.

In case you don't want to have all the public keys in all the repositories that are managed by agebox, you could centralize these keys in another repository andgetting them before invoking agebox. Some usage examples:

  • Git submodule git pull --recurse-submodules.
  • Git repo and previous agebox command invoke git clone/pull.
  • Download public keys from S3.

You can configure this with --public-keys flag or AGEBOX_PUBLIC_KEYS env var.

You can have multiple public keys in a file (one per line), like Age recipients file.

Private keys

Private key (singular) should be passed whenever a decrypt operation is made.

You can configure this with --private-key flag or AGEBOX_PRIVATE_KEY env var.

Alternatives

  • Blackbox: Uses PGP (requires an agent), complex and sometimes has undesired side effects (e.g git commands execution).
  • Sops: Lots of features and very complex for simple use cases.
  • Git-crypt: Uses PGP (requires an agent), complex, 100% tied to Git.

Kudos

Thanks to @FiloSottile, @Benjojo12 and all the other contributors of Age.

Without Age, Agebox would not exist.

Owner
Xabier Larrakoetxea Gallego
SRE at @cabify
Xabier Larrakoetxea Gallego
https://github.com/slok/agebox
Comments
  • Why is the .agebox file deleted on decrypt?

    Why is the .agebox file deleted on decrypt?

    Hello đź‘‹

    I am playing around with agebox to track secrets in a git repository, and I am surprised by the fact that the .agebox file is deleted on decrypt.

    Used in git, this means that if I decrypt the file to feed it to my tool, I'm then going to need to git restore it each time before committing. Encrypting the file again is not really an option either since that's going to change the file even if there are no changes.

    There is the cat command, but in various situations it's cumbersome to have to deal with stdout for secret import, where having them in a file is straightforward (one can redirect cat to a file, but that’s again some unneeded ceremony from my point of view).

    Am I using agebox wrong in some way? 🤔

    I think having an option to keep the .agebox files on decrypting would make sense, with maybe an additional command that delete any unencrypted tracked secret file as a simple and VCS agnostic way of preventing those from lying around.

  • Add function for parsing age identity

    Add function for parsing age identity

    This new function will look for a line in the input string that starts with AGE-SECRET-KEY-1. That line is then cleaned of whitespaces and passed to age.ParseX25519Identity.

    Closes #79. Fixes #80.

  • [QUESTION] How to use ssh-rsa/ed25519 keys?

    [QUESTION] How to use ssh-rsa/ed25519 keys?

    Hello!

    I'm evaluating agebox as an alternative to the currently used "blackbox" scripts.

    This is where I found that I can encrypt files using my ed25519 based ssh key but the decryption fails. I have tested this on MacOS (10.15.7) and Linux:

    > mkdir agebox-test
> cd agebox-test
> echo "HELLO" > testfile
> agebox init

> mkdir keys
> ssh-keygen -t ed25519 -N "passphrase"
# copy id_es25519.pub to ./keys

> agebox encrypt testfile
INFO[0000] Loaded public keys                            keys=1 svc=storage.fs.KeyRepository version=v0.2.0
INFO[0000] Secret encrypted                              secret-id=testfile svc=box.encrypt.Service version=v0.2.0
> agebox decrypt testfile.agebox --private-key id_es25519 # private key file is present in this directory

error: "decrypt" command failed: could not decrypt: could not get private key: could not load private key in "id_es25519": invalid private key

    Can you help me finding out what I do wrong?

    Thank you for building agebox and for you help Frank

  • Bump filippo.io/age from 1.0.0 to 1.1.0

    Bump filippo.io/age from 1.0.0 to 1.1.0

    Bumps filippo.io/age from 1.0.0 to 1.1.0.

    Release notes

    Sourced from filippo.io/age's releases.

    age v1.1.0: plugin and YubiKeys support

    age is a simple, modern and secure file encryption tool, format, and Go library. It features small explicit keys, no config options, and UNIX-style composability. Learn more by reading the README, the age(1) man page, the Go API reference, the format specification, or the full release changelog. Watch the repository or follow @​[email protected] to be notified of new releases.

    🛠️ FYI, age now has an extensive test suite which all age implementations are encouraged to adopt.

    Plugin support

    The age CLI now supports plugins, such as age-plugin-yubikey by @​str4d. To try it on macOS with Homebrew:

    $ brew upgrade age
$ brew install age-plugin-yubikey
$ age-plugin-yubikey # interactive setup
$ age -r age1yubikey1qwt50d05nh5vutpdzmlg5wn80xq5negm4uj9ghv0snvdd3yysf5yw3rhl3t
$ age -d -i age-yubikey-identity-388178f3.txt

    Plugins must be loaded explicitly by using their respective recipient or identity, and are not tied to a specific header stanza type. This means plugins can be used not only to support new recipient types such as PIV tokens (i.e. YubiKeys) or cloud KMS solutions, but also to produce passphrase-encrypted files that can be decrypted without plugins, to store age native private keys on secure elements, or even for agent functionality or to proxy decryption operations to remote machines.

    Plugins operate over a simple textual stdin/stdout protocol (C2SP/C2SP#5). Developers are encouraged to reach out with plugin ideas and announcements. Read more in the relevant man page section.

    Breaking changes

    If -i is used, passphrase-encrypted files are now rejected. Previously, a passphrase-encrypted file was auto-detected and the identity file was ignored. This could lead to unexpected behavior, such as a script blocking for user interaction, based on potentially untrusted input files. Now, age -d must be invoked without -i arguments to decrypt passphrase-encrypted files. A helpful error is printed otherwise. This should not break any automated system as passphrase decryption was always interactive.

    Empty final chunks are now rejected. If a payload was a multiple of 64KiB long, there were two valid encryptions for it: with a "full" last chunk encrypting 64KiB, or with an additional "empty" chunk encrypting 0 bytes. age, rage, and all other known implementations only ever produced the former. (Note that age will forever decrypt files it generated.) The latter is now rejected. The specification has been updated (C2SP/C2SP#13) and test cases are included in the test suite.

    Minor changes

    PKCS#8-encoded Ed25519 private keys (such as 1Password exports) are now supported as SSH identities.

    If an armored file is pasted into the terminal, age will now attempt to wait until the end of the file before prompting for a password.

    Some invalid files are now correctly rejected, in particular encrypted files with trailing data. (Yay for the test suite!)

    If /dev/tty is present but can't be opened, age will now fallback to trying to treat stdin as a terminal as if /dev/tty wasn't present. (Thanks @​brandsimon!)

    Input prompts now go to the terminal, even if standard error is redirected.

    Values of the new armor.Error type are now returned wrapped in decryption errors when appropriate.

    Windows binary releases are now signed. (Thanks @​technion!)

    Documentation and error messages were improved.

    age v1.1.0-rc.1: plugin and YubiKeys support

    ... (truncated)

    Commits
    • 7354aa0 internal/bech32: remove data length limit
    • bf8d2a3 age: move testkit to CCTV
    • 5d5c9c4 .github/workflows: parallelize build process (#456)
    • e05ce26 .github/workflows: use gh to upload release artifacts (#455)
    • 000e931 doc: regenerate groff and html man pages
    • ebf48f1 doc: trim trailing whitespace
    • 3f2209c doc: fix typos
    • bbac0a5 README: add a couple links to the heading
    • 02a01c6 README: switch order of installation and usage (#448)
    • 8328d19 .github/workflows: update Go and FreeBSD in test
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump xresloader/upload-to-github-release from 1.3.3 to 1.3.8

    Bump xresloader/upload-to-github-release from 1.3.3 to 1.3.8

    Bumps xresloader/upload-to-github-release from 1.3.3 to 1.3.8.

    Release notes

    Sourced from xresloader/upload-to-github-release's releases.

    v1.3.8

    CHANGELOG

    1. Fixes #39 .
    2. Update dependencies .

    v1.3.7

    CHANGELOG

    1. Update dependencies to fixes #38

    v1.3.6

    CHANGELOG

    1. Update dependency
    2. Fixes uploading always failed when file size is 0 (#37)
    3. Add target_owner and target_repo to custom target repository. (#21)

    v1.3.4

    CHANGLELOG

    • Update dependencies
    • Fix tag name when updating a existed release
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golang from 1.18.1 to 1.19.3 in /docker/dev

    Bump golang from 1.18.1 to 1.19.3 in /docker/dev

    Bumps golang from 1.18.1 to 1.19.3.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golang from 1.18.1-alpine to 1.19.2-alpine in /docker/prod

    Bump golang from 1.18.1-alpine to 1.19.2-alpine in /docker/prod

    Bumps golang from 1.18.1-alpine to 1.19.2-alpine.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golang from 1.18.1 to 1.19.2 in /docker/dev

    Bump golang from 1.18.1 to 1.19.2 in /docker/dev

    Bumps golang from 1.18.1 to 1.19.2.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump actions/checkout from 3.0.2 to 3.1.0

    Bump actions/checkout from 3.0.2 to 3.1.0

    Bumps actions/checkout from 3.0.2 to 3.1.0.

    Release notes

    Sourced from actions/checkout's releases.

    v3.1.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/checkout/compare/v3.0.2...v3.1.0

    Changelog

    Sourced from actions/checkout's changelog.

    v3.1.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump github.com/stretchr/testify from 1.7.1 to 1.7.5

    Bump github.com/stretchr/testify from 1.7.1 to 1.7.5

    Bumps github.com/stretchr/testify from 1.7.1 to 1.7.5.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golang from 1.18.1-alpine to 1.18.3-alpine in /docker/prod

    Bump golang from 1.18.1-alpine to 1.18.3-alpine in /docker/prod

    Bumps golang from 1.18.1-alpine to 1.18.3-alpine.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump filippo.io/age from 1.0.0 to 1.1.1

    Bump filippo.io/age from 1.0.0 to 1.1.1

    Bumps filippo.io/age from 1.0.0 to 1.1.1.

    Release notes

    Sourced from filippo.io/age's releases.

    age v1.1.1 is a patch release to fix go install filippo.io/age/...@latest.

    See the release notes for v1.1.0 for changes since v1.0.0.

    age v1.1.0: plugin and YubiKeys support

    age is a simple, modern and secure file encryption tool, format, and Go library. It features small explicit keys, no config options, and UNIX-style composability. Learn more by reading the README, the age(1) man page, the Go API reference, the format specification, or the full release changelog. Watch the repository or follow @​[email protected] to be notified of new releases.

    🛠️ FYI, age now has an extensive test suite which all age implementations are encouraged to adopt.

    Plugin support

    The age CLI now supports plugins, such as age-plugin-yubikey by @​str4d. To try it on macOS with Homebrew:

    $ brew upgrade age
$ brew install age-plugin-yubikey
$ age-plugin-yubikey # interactive setup
$ age -r age1yubikey1qwt50d05nh5vutpdzmlg5wn80xq5negm4uj9ghv0snvdd3yysf5yw3rhl3t
$ age -d -i age-yubikey-identity-388178f3.txt

    Plugins must be loaded explicitly by using their respective recipient or identity, and are not tied to a specific header stanza type. This means plugins can be used not only to support new recipient types such as PIV tokens (i.e. YubiKeys) or cloud KMS solutions, but also to produce passphrase-encrypted files that can be decrypted without plugins, to store age native private keys on secure elements, or even for agent functionality or to proxy decryption operations to remote machines.

    Plugins operate over a simple textual stdin/stdout protocol (C2SP/C2SP#5). Developers are encouraged to reach out with plugin ideas and announcements. Read more in the relevant man page section.

    Breaking changes

    If -i is used, passphrase-encrypted files are now rejected. Previously, a passphrase-encrypted file was auto-detected and the identity file was ignored. This could lead to unexpected behavior, such as a script blocking for user interaction, based on potentially untrusted input files. Now, age -d must be invoked without -i arguments to decrypt passphrase-encrypted files. A helpful error is printed otherwise. This should not break any automated system as passphrase decryption was always interactive.

    Empty final chunks are now rejected. If a payload was a multiple of 64KiB long, there were two valid encryptions for it: with a "full" last chunk encrypting 64KiB, or with an additional "empty" chunk encrypting 0 bytes. age, rage, and all other known implementations only ever produced the former. (Note that age will forever decrypt files it generated.) The latter is now rejected. The specification has been updated (C2SP/C2SP#13) and test cases are included in the test suite.

    Minor changes

    PKCS#8-encoded Ed25519 private keys (such as 1Password exports) are now supported as SSH identities.

    If an armored file is pasted into the terminal, age will now attempt to wait until the end of the file before prompting for a password.

    Some invalid files are now correctly rejected, in particular encrypted files with trailing data. (Yay for the test suite!)

    If /dev/tty is present but can't be opened, age will now fallback to trying to treat stdin as a terminal as if /dev/tty wasn't present. (Thanks @​brandsimon!)

    Input prompts now go to the terminal, even if standard error is redirected.

    Values of the new armor.Error type are now returned wrapped in decryption errors when appropriate.

    Windows binary releases are now signed. (Thanks @​technion!)

    Documentation and error messages were improved.

    ... (truncated)

    Commits
    • c6dcfa1 all: temporarily disable testscript tests
    • a1fabee all: upgrade dependencies
    • 7354aa0 internal/bech32: remove data length limit
    • bf8d2a3 age: move testkit to CCTV
    • 5d5c9c4 .github/workflows: parallelize build process (#456)
    • e05ce26 .github/workflows: use gh to upload release artifacts (#455)
    • 000e931 doc: regenerate groff and html man pages
    • ebf48f1 doc: trim trailing whitespace
    • 3f2209c doc: fix typos
    • bbac0a5 README: add a couple links to the heading
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump actions/checkout from 3.0.2 to 3.2.0

    Bump actions/checkout from 3.0.2 to 3.2.0

    Bumps actions/checkout from 3.0.2 to 3.2.0.

    Release notes

    Sourced from actions/checkout's releases.

    v3.2.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/checkout/compare/v3...v3.2.0

    v3.1.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/checkout/compare/v3.0.2...v3.1.0

    Changelog

    Sourced from actions/checkout's changelog.

    Changelog

    v3.1.0

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • cannot decrypt file after encryption using personal RSA keys

    cannot decrypt file after encryption using personal RSA keys

    I have a key pair that I use for everything, I wanted to test this out with it but I it will not decrypt:

    $ agebox validate
INFO[0000] Using 1 tracked files                         version=0.6.1
WARN[0000] Could not load private key: invalid private key  key=/home/michael/.ssh/michael_rsa svc=storage.fs.KeyRepository version=0.6.1
WARN[0000] Could not load private key: invalid private key  key=/home/michael/.ssh/michael_rsa.pub svc=storage.fs.KeyRepository version=0.6.1
INFO[0000] Loaded private keys                           keys=2 svc=storage.fs.KeyRepository version=0.6.1
ERRO[0000] Invalid secret: could not decrypt secret: age could not decrypt the secret: no identity matched any of the recipients  secret-id=nixops/secrets/localstate.nixops svc=box.validate.Service version=0.6.1

    yes, this key has a password on it, but it doesn't work with the --passphrase flag either. I've used this key for so many things, I must be doing something wrong here.

    Thanks!

  • Bump golang from 1.18.1-alpine to 1.19.4-alpine in /docker/prod

    Bump golang from 1.18.1-alpine to 1.19.4-alpine in /docker/prod

    Bumps golang from 1.18.1-alpine to 1.19.4-alpine.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump golang from 1.18.1 to 1.19.4 in /docker/dev

    Bump golang from 1.18.1 to 1.19.4 in /docker/dev

    Bumps golang from 1.18.1 to 1.19.4.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Bump xresloader/upload-to-github-release from 1.3.3 to 1.3.9

    Bump xresloader/upload-to-github-release from 1.3.3 to 1.3.9

    Bumps xresloader/upload-to-github-release from 1.3.3 to 1.3.9.

    Release notes

    Sourced from xresloader/upload-to-github-release's releases.

    v1.3.9

    CHANGELOG

    1. Fix default values of draft and prerelease. (#41)

    v1.3.8

    CHANGELOG

    1. Fixes #39 .
    2. Update dependencies .

    v1.3.7

    CHANGELOG

    1. Update dependencies to fixes #38

    v1.3.6

    CHANGELOG

    1. Update dependency
    2. Fixes uploading always failed when file size is 0 (#37)
    3. Add target_owner and target_repo to custom target repository. (#21)

    v1.3.4

    CHANGLELOG

    • Update dependencies
    • Fix tag name when updating a existed release
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Related tags
Query Language security encryption git-crypt secrets age blackbox security-tools sops secrets-management gitops repository-secrets
Age-encrypted-notebook - Age encrypted notes saved in a bolt DB

Age Encrypted Notebook (aen) Disclaimer: This project has the sole purpose of ge

Sep 15, 2022
Terraform-provider-age - Age Terraform Provider with golang

Age Terraform Provider This provider lets you generate an Age key pair. Using th

Feb 15, 2022
password manager using age for encryption

page ====== password manager using age (https://age-encryption.org/) for encryption. encrypted secrets are files in the $PAGE_SECRETS/ directory that

May 30, 2022
ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest from source data in Git repository, and auto-sync it with target clusters.
 ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest from source data in Git repository, and auto-sync it with target clusters.

ArgoCD Interlace ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest from source data in Git repository, and auto-sync it

Dec 14, 2022
Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side ("transparent") encryption. SQL, NoSQL.
 Database security suite. Database proxy with field-level encryption, search through encrypted data, SQL injections prevention, intrusion detection, honeypots. Supports client-side and proxy-side (

Database protection suite with field level encryption and intrusion detection. | Acra Engineering Examples | Documentation | Installation | Examples a

Dec 28, 2022
Search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters.
 Search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters.

FAV/E FAV/E (Find A Vulnerability/Exposure) utilizes the NIST CVE database search API to search for vulnerabilities and exposures while filtering base

Dec 31, 2022
Sekura is an Encryption tool that's heavily inspired by the Rubberhose file system.

It allows for multiple, independent file systems on a single disk whose existence can only be verified if you posses the correct password.

Oct 16, 2022
This is a simple file storage server. User can upload file, delete file and list file on the server.
This is a simple file storage server. User can upload file, delete file and list file on the server.

Simple File Storage Server This is a simple file storage server. User can upload file, delete file and list file on the server. If you want to build a

Jan 19, 2022
`age-plugin-yubikey` implementation, encrypt things with a Yubikey/any PIV card

This is an age plugin for PIV cards/Yubikey. Your secret is kept safe on the tamperproof hardware, while letting you use the age command-line.

Aug 10, 2022
ORBOS - GitOps everything
 ORBOS - GitOps everything

ORBOS - GitOps everything ORBOS explained ORBITER BOOM Getting Started on Google Compute Engine In the following example we will create a kubernetes c

Dec 31, 2022
Script to check open slot for 18+ age group in particular district and pin code area

Running instruction install go: 1.14 (might work with other versions as well) install following library for sending notifications go get -u github.com

Mar 22, 2022
Bootstrap curated Kubernetes stacks. Logging, metrics, ingress and more - delivered with gitops.

Gimlet Stack Bootstrap curated Kubernetes stacks. Logging, metrics, ingress and more - delivered with gitops. You can install logging aggregators, met

Dec 1, 2021
The Elastalert Operator is an implementation of a Kubernetes Operator, to easily integrate elastalert with gitops.

Elastalert Operator for Kubernetes The Elastalert Operator is an implementation of a Kubernetes Operator. Getting started Firstly, learn How to use el

Jun 28, 2022
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP
 sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP

sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. (demo)

Jan 9, 2023
End-to-end encrypted email for the mesh networking age

Yggmail It's email, but not as you know it. Introduction Yggmail is a single-binary all-in-one mail transfer agent which sends and receives email nati

Jan 2, 2023
Mildly performant age public key bruteforcer

vanity-age Mildly performant age vanity public key brute-forcer.

Aug 30, 2021
Convert SSH Ed25519 keys to age keys. This is useful for usage in sops-nix and sops

ssh-to-age Convert SSH Ed25519 keys to age keys. This is useful for usage in sops-nix and sops Usage Exports the private key: $ ssh-to-age -private-ke

Dec 21, 2022
Cluster bootstraps for GitOps
 Cluster bootstraps for GitOps

Introduction Documentation Site Cluster bootstraps for Crossplane GitOps based on argocd, see main doc site for details PreRequisites K8 cluster eg ki

Mar 13, 2022
Encrypt embedded go files using age.

encembed Encrypt embedded resource in compiled binary using age. Meant for usage with go generate. This tool will generate a go source file that embed

Nov 20, 2022
gokp aims to install a GitOps Native Kubernetes Platform

gokp gokp aims to install a GitOps Native Kubernetes Platform. This project is a Proof of Concept centered around getting a GitOps aware Kubernetes Pl

Nov 4, 2022