Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/FiloSottile/passage

A fork of password-store (https://www.passwordstore.org) that uses age (https://age-encryption.org) as backend.
https://github.com/FiloSottile/passage

age-encryption password-store

Last synced: 3 months ago
JSON representation

A fork of password-store (https://www.passwordstore.org) that uses age (https://age-encryption.org) as backend.

Host: GitHub
URL: https://github.com/FiloSottile/passage
Owner: FiloSottile
License: other
Created: 2021-08-21T01:27:23.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2023-10-20T03:42:39.000Z (8 months ago)
Last Synced: 2024-01-15T23:00:43.587Z (5 months ago)
Topics: age-encryption, password-store
Language: Shell
Homepage:
Size: 405 KB
Stars: 686
Watchers: 23
Forks: 36
Open Issues: 18
Metadata Files:
- Readme: README
- License: COPYING

Lists

awesome-age - passage - store that uses age in place of gpg. (Tools)
cli-apps - passage - A fork of [password-store](https://www.passwordstore.org) that uses [age](https://age-encryption.org) as a backend instead of GnuPG. (<a name="password-manager"></a>Password managers)
awesome-stars - FiloSottile/passage - `★731` A fork of password-store (https://www.passwordstore.org) that uses age (https://age-encryption.org) as backend. (Shell)
awesome-cli-apps - passage - A fork of [password-store](https://www.passwordstore.org) that uses [age](https://age-encryption.org) as a backend instead of GnuPG. (<a name="password-manager"></a>Password managers)

README

passage
=======

passage is a fork of password-store (https://www.passwordstore.org) that uses
age (https://age-encryption.org) as a backend instead of GnuPG.

Differences from pass
---------------------

The password store is at $HOME/.passage/store by default.

For decryption, the age identities at $HOME/.passage/identities are used with
the -i age CLI option.

For encryption, the nearest .age-recipients file (that is, the one in the same
directory as the secret, or in the closest parent) is used with the -R age CLI
option. If no .age-recipients files are found, the identities file is used with
the -i option.

Extensions are searched at $HOME/.passage/extensions. password-store extensions
that wish to be compatible with passage can switch on the PASSAGE variable.

The init command is not currently available, and moving or copying a secret
always re-encrypts it.

Example: simple set up
----------------------

In this setup, the key is simply saved on disk, which can be useful if the
password store is synced to a location less trusted than the local disk.

age-keygen >> $HOME/.passage/identities

Example: set up with a password-protected key
---------------------------------------------

This setup allows using the identity file password as the primary password
to unlock the store.

KEY="$(age-keygen)"
echo "$KEY" | age -p -a >> $HOME/.passage/identities
echo "$KEY" | age-keygen -y >> $HOME/.passage/store/.age-recipients

Example: set up with age-plugin-yubikey
---------------------------------------

This setup requires age v1.1.0, or rage (https://github.com/str4d/rage), and
the PIV plugin age-plugin-yubikey (https://github.com/str4d/age-plugin-yubikey).

It's recommended to add more YubiKeys and/or age keys to the .age-recipients
file as recovery options, in case this YubiKey is lost.

age-plugin-yubikey # run interactive setup
age-plugin-yubikey --identity >> $HOME/.passage/identities
age-plugin-yubikey --list >> $HOME/.passage/store/.age-recipients

Integrating with fzf
--------------------

The following script can be invoked with any (or no) passage flags, and
spawns a fuzzy search dialog using fzf (https://github.com/junegunn/fzf)
for selecting the secret.

#! /usr/bin/env bash
set -eou pipefail
PREFIX="${PASSAGE_DIR:-$HOME/.passage/store}"
FZF_DEFAULT_OPTS=""
name="$(find "$PREFIX" -type f -name '*.age' | \
sed -e "s|$PREFIX/||" -e 's|\.age$||' | \
fzf --height 40% --reverse --no-multi)"
passage "${@}" "$name"

Migrating from pass
-------------------

#! /usr/bin/env bash
set -eou pipefail
cd "${PASSWORD_STORE_DIR:-$HOME/.password-store}"
while read -r -d "" passfile; do
name="${passfile#./}"; name="${name%.gpg}"
[[ -f "${PASSAGE_DIR:-$HOME/.passage/store}/$name.age" ]] && continue
pass "$name" | passage insert -m "$name" || { passage rm "$name"; break; }
done < <(find . -path '*/.git' -prune -o -iname '*.gpg' -print0)

Environment variables
---------------------

PASSAGE_DIR Password store location

PASSAGE_IDENTITIES_FILE Identities file location

PASSAGE_AGE age binary (tested with age and rage)

PASSAGE_RECIPIENTS_FILE Override recipients for encryption operations
Passed to age with -R

PASSAGE_RECIPIENTS Override recipients for encryption operations
Space separated, each passed to age with -r

All other environment variables from password-store are respected, such as
PASSWORD_STORE_CLIP_TIME and PASSWORD_STORE_GENERATED_LENGTH.