Encrypt when yubikey isn't present
tekumara opened this issue · 3 comments
tekumara commented
passage expects the yubikey to be inserted:
$ passage insert foo -m
Enter contents of foo and press Ctrl+D when finished:
Please insert YubiKey with serial 12345678 (press [1] for "YubiKey is plugged in" or [2] for "Skip this YubiKey")
Pressing 2:
age: error: failed to wrap key for recipient #1: yubikey plugin: Could not open YubiKey with serial 12345678
age: report unexpected or unhelpful errors at https://filippo.io/age/report
Password encryption aborted.
I was expecting to be able to encrypt to a yubikey that isn't present.
FiloSottile commented
By default, passage will use the identity file with -i
and age-plugin-yubikey identities require the YubiKey. However, you can generate the corresponding recipient with age-plugin-yubikey and place it in the .age-recipients
file, and that will work without the YubiKey.
tekumara commented
Thanks @FiloSottile for the explanation! I had a .age_recipients
file in ~/.passage. Once I moved it to ~/.passage/store_ I was no longer prompted for the yubikey.
tekumara commented
(I'll have to re-encrypt all the secrets I encrypted using just the identify file, and not the full set of recipients in .age_recipients
)