support rekey

[mbauhardt]

I want to have an option to re-encrypt my password-store with a new recipient.

[arcxio]

why?

[mbauhardt]

Let's say

• I have a remote shell where I host my passwords encrypted with one key, this could be the key key from my laptop A.
• I'm getting a new laptop B, and I create a second key, instead spreading one key over multiple devices.
• the idea would be to have one key per device, a device would be a laptop or a yubikey.

To support adding and removing keys which can access my passwords, a convenient function to re-encrypt all passwords would be helpful.

[arcxio]

with this implementation you'd still need to manually add the keys to the store, right? so the workflow would go something like:

~> cd ~/.local/share/pa
~/.local/share/pa> age-keygen -o new_identities
Public key: age1decux8l6p7pjps9grm0f7ld4cue27lja26err8fq2hmmx8pqg5ysqrcwxk
~/.local/share/pa> age-keygen -y new_identities >> recipients
~/.local/share/pa> pa rekey
~/.local/share/pa> mv new_identities identities
~/.local/share/pa> ex -c ':1d' -c ':wq' recipients

it doesn't seem like a good UX for a command, at least it should rotate the keys automatically... but then I think a separate script would be a better fit, because it looks like a one-shot operation that doesn't really need to be a core feature, and it also could be used independently of pa store as a solution for FiloSottile/age#136

[arcxio]

so I think the ability to rotate keys and reencrypt all passwords easily is a useful suggestion, I just don't like how it's done here and I'm not sure if it should be a separate command. how about this contrib/ script? you just run it and you're all set with the new keys

#!/bin/sh
basedir="${XDG_DATA_HOME:=$HOME/.local/share}/pa"
: "${PA_DIR:=$basedir/passwords}"
umask 077
age-keygen -o "$basedir/identities.tmp" 2>/dev/null
age-keygen -y -o "$basedir/recipients.tmp" "$basedir/identities.tmp" 2>/dev/null
pa list | while read -r name; do
    pa show "$name" |
        age --encrypt -R "$basedir/recipients.tmp" -o "$PA_DIR/$name.tmp.age"
    mv "$PA_DIR/$name.tmp.age" "$PA_DIR/$name.age"
done
mv "$basedir/identities.tmp" "$basedir/identities"
mv "$basedir/recipients.tmp" "$basedir/recipients"

@biox @mbauhardt

[biox]

love the idea of keeping this in contrib, makes sense to me

[mbauhardt]

Ok, from a unix perspective, having pa which can encrypt and decrypt, the combination of both doesn't need to be part of the core. having it in a contrib dir is fine and good enough.

From my perspective, the creation of the identities and recipients shouldn't be part of the contrib tool. This infrastructure is up to the use case or how the end user would like to have their keys organized.

for me:

• on my remote host where I host my passwords, I would like to be able to encrypt passwords for a set of recipients (the public part from the key's)
• the identites for decryption are available on my devices, one dedicated key for dedicated device (the private part from the key's)

Does that make sense?

[arcxio]

Does that make sense?

ok, got it, here's the simple solution for the aforementioned script (let's call it pa-rekey):

-age-keygen -y -o "$basedir/recipients.tmp" "$basedir/identities.tmp" 2>/dev/null
+age-keygen -y "$basedir/identities.tmp" >>"$basedir/recipients.tmp" 2>/dev/null

then this should do what you need:

~> cp ~/.local/share/pa/recipients ~/.local/share/pa/recipients.tmp
~> pa-rekey

[arcxio]

let's move to #27