passage
=======
passage is a fork of password-store (https://www.passwordstore.org) that uses
age (https://age-encryption.org) as a backend instead of GnuPG.
Differences from pass
---------------------
The password store is at $HOME/.passage/store by default.
For decryption, the age identities at $HOME/.passage/identities are used with
the -i age CLI option.
For encryption, the nearest .age-recipients file (that is, the one in the same
directory as the secret, or in the closest parent) is used with the -R age CLI
option. If no .age-recipients files are found, the identities file is used with
the -i option.
Extensions are searched at $HOME/.passage/extensions. password-store extensions
that wish to be compatible with passage can switch on the PASSAGE variable.
The init command is not currently available, and moving or copying a secret
always re-encrypts it.
Example: simple set up
----------------------
In this setup, the key is simply saved on disk, which can be useful if the
password store is synced to a location less trusted than the local disk.
age-keygen >> $HOME/.passage/identities
Example: set up with a password-protected key
---------------------------------------------
This setup allows using the identity file password as the primary password
to unlock the store.
KEY="$(age-keygen)"
echo "$KEY" | age -p -a >> $HOME/.passage/identities
echo "$KEY" | age-keygen -y >> $HOME/.passage/store/.age-recipients
Example: set up with age-plugin-yubikey
---------------------------------------
This setup requires age v1.1.0, or rage (https://github.com/str4d/rage), and
the PIV plugin age-plugin-yubikey (https://github.com/str4d/age-plugin-yubikey).
It's recommended to add more YubiKeys and/or age keys to the .age-recipients
file as recovery options, in case this YubiKey is lost.
age-plugin-yubikey # run interactive setup
age-plugin-yubikey --identity >> $HOME/.passage/identities
age-plugin-yubikey --list >> $HOME/.passage/store/.age-recipients
Integrating with fzf
--------------------
The following script can be invoked with any (or no) passage flags, and
spawns a fuzzy search dialog using fzf (https://github.com/junegunn/fzf)
for selecting the secret.
#! /usr/bin/env bash
set -eou pipefail
PREFIX="${PASSAGE_DIR:-$HOME/.passage/store}"
FZF_DEFAULT_OPTS=""
name="$(find "$PREFIX" -type f -name '*.age' | \
sed -e "s|$PREFIX/||" -e 's|\.age$||' | \
fzf --height 40% --reverse --no-multi)"
passage "${@}" "$name"
Migrating from pass
-------------------
#! /usr/bin/env bash
set -eou pipefail
cd "${PASSWORD_STORE_DIR:-$HOME/.password-store}"
while read -r -d "" passfile; do
name="${passfile#./}"; name="${name%.gpg}"
[[ -f "${PASSAGE_DIR:-$HOME/.passage/store}/$name.age" ]] && continue
pass "$name" | passage insert -m "$name" || { passage rm "$name"; break; }
done < <(find . -path '*/.git' -prune -o -iname '*.gpg' -print0)
Environment variables
---------------------
PASSAGE_DIR Password store location
PASSAGE_IDENTITIES_FILE Identities file location
PASSAGE_AGE age binary (tested with age and rage)
PASSAGE_RECIPIENTS_FILE Override recipients for encryption operations
Passed to age with -R
PASSAGE_RECIPIENTS Override recipients for encryption operations
Space separated, each passed to age with -r
All other environment variables from password-store are respected, such as
PASSWORD_STORE_CLIP_TIME and PASSWORD_STORE_GENERATED_LENGTH.
