Using multiple identities with age-plugin-yubikey
kfken opened this issue · 2 comments
I created a password with only one identity in my .passage/identities file. Then later I added a new identity to the same file. Both identities (and recipients in .passage/store/.age-recipients) were setup using age-plugin-yubikey.
Then I used passage cp to reencrypt the secret using the new age-recipients file. When I tried to decrypt the secret, age-plugin-yubikey prompted me for the yubikey that was first in the identifies file. I didn't see how to have it use the new yubikey who's recipient key was used to encrypt the secret.
Does passage + age-plugin-yubikey support multiple yubikeys? Apologies if this is more of a age-plugin-yubikey question.
cc: @str4d
Hi! Yeah, multiple YubiKeys are supported, but are tried sequentially, because we spent a long time talking about the logic involved in coalescing multiple identities to try in parallel and couldn't find a predictable UX.
What's currently missing is a way to cancel out of the "plug in YubiKey X" dialog so it can proceed to the next one without waiting for the timeout. We built some changes into the plugin protocol to support it, but I think the changes haven't made it to age-plugin-yubikey yet.
Makes sense. Of course, I'm using unreleased branches (age) and implementors of unfinished specs (age-plugin-yubikey), so it's fantastic they work together at all :)