FiloSottile/passage

Encrypt when yubikey isn't present

tekumara opened this issue · 3 comments

passage expects the yubikey to be inserted:

$ passage insert foo -m
Enter contents of foo and press Ctrl+D when finished:

Please insert YubiKey with serial 12345678 (press [1] for "YubiKey is plugged in" or [2] for "Skip this YubiKey")

Pressing 2:

age: error: failed to wrap key for recipient #1: yubikey plugin: Could not open YubiKey with serial 12345678
age: report unexpected or unhelpful errors at https://filippo.io/age/report
Password encryption aborted.

I was expecting to be able to encrypt to a yubikey that isn't present.

By default, passage will use the identity file with -i and age-plugin-yubikey identities require the YubiKey. However, you can generate the corresponding recipient with age-plugin-yubikey and place it in the .age-recipients file, and that will work without the YubiKey.

Thanks @FiloSottile for the explanation! I had a .age_recipients file in ~/.passage. Once I moved it to ~/.passage/store_ I was no longer prompted for the yubikey.

(I'll have to re-encrypt all the secrets I encrypted using just the identify file, and not the full set of recipients in .age_recipients)