Passage requiring first entry of .age-recipients for decryption
solomon-b opened this issue · 5 comments
I've setup three Yubikeys with Age and configured passage to use them by running once for each yubikey:
➜ age-plugin-yubikey --identity >> $HOME/.passage/identities
➜ age-plugin-yubikey --list >> $HOME/.passage/store/.age-recipients
I then generated a test password and am only able to decrypt it with the first yubikey I added to the .age-recipients
file:
➜ passage test/pass
Please insert YubiKey with serial 19234119: (y/n)
I noticed issue #7 addresses my question. The expected behavior should be that after a timeout I am able to use the alternate key(s) however, passage
is sitting at this prompt:
passage test
Please insert YubiKey with serial 22388305: (y/n) Waiting for age-plugin-yubikey...
I think passage is great but it seems to be designed entirely around 1 machine with 1 key which is unfortunate. Ideally it would be trivial to have the password repository on multiple machines, each with their own yubikey (i.e. each connected to a 5C nano).
have the password repository on multiple machines, each with their own yubikey
This is totally doable: on each machine you use a different identities file listing its associated YubiKey, and you put all recipients in the recipient file.
What I think @solomon-b is trying to do is to have multiple YubiKeys listed in the same identities file on the same machine. That will try them in order, but should work. What happens if you type n
at the (y/n)
prompt? What version of age are you using?