It’s been years since I went through all the trouble of setting up my own GPG keys and securing them in YubiKeys following drduh’s guidelines. With that approach, you generate a key securely offline and store it on multiple YubiKeys with backups.
This has worked well for me for years, and as the Lindy effect suggests, it will almost certainly continue to do so.
But since my subkeys were nearing expiration, I was faced with either renewing (more convenient, no further privacy) or rotating them (rather painful, but potentially more secure). However, I’ve realized that I essentially only use these keys for encryption, and almost never for signing. So, instead of doing one of the usual options, I’ll just let my keys expire completely.
I am experimenting now ageWhich bills itself as “simple, modern and secure encryption”. I will use if needed minisign for signature.
Workflow changes
This required changing a few things in my normal workflow.
password manager
First, and most importantly, I needed to switch from pass To passagea fork of pass who uses age As backend. It was actually surprisingly easy because passage A simple bash script is included to perform the migration.
#! /usr/bin/env bash
set -eou pipefail
cd "${PASSWORD_STORE_DIR:-$HOME/.password-store}"
while read -r -d "" passfile; do
name="${passfile#./}"; name="${name%.gpg}"
[[ -f "${PASSAGE_DIR:-$HOME/.passage/store}/$name.age" ]] && continue
pass "$name" | passage insert -m "$name" || { passage rm "$name"; break; }
done < <(find . -path '*/.git' -prune -o -iname '*.gpg' -print0)
There is no installer for this passageAnd no arch packages. But it’s quite easy to install as it’s just a shell script that you can put on your $PATHNote that for Arch, I also have to install treeWhich assumes you have it.
I will also tell you the name passage As pass On my machine.
The advantage is everything that was pass The integration continues to “just work.” For example, aercMy email client of choice behaves exactly the same after migration.
No more gpg-agent
i used to sometimes gpg-agent As my SSH agent on my machines. It was convenient. However, I also like the idea of having a dedicated SSH key per machine. This makes monitoring their usage and canceling them more granular.
Absence of gpg-agent Forced me to install new keys on all my machines and add them to different servers/services.
benefits of age Approach
Easy encryption with Chezmoi
While I was tending to the encryption area of my personal tech “garden,” I also started taking advantage of Chezmoi’s encryption features. i already use chezmoi For my configuration files, but with encryption, I can also easily add a “secret” to my public dotfiles repo. In my case so far, that just means my copies of my favorite paid font: Berkeley Mono.
chezmoi There’s also a good guide for configuring Chezmoi to encrypt when only asking for the passphrase once age,
Easy YubiKey configuration
I was also very pleasantly surprised by how easy it was to switch to ageThe last time I set up GPG keys on my YubiKeys, I spent several hours.
With the help of this time age-plugin-yubikey And embraced the idea of having unique keys on each YubiKey, but encrypting everything for multiple recipients, setting up my keys was surprisingly trivial. It generates the key securely on the hardware key itself, which is nice. The whole process probably took 30 minutes. It was so easy that in the future, I am very much No Terrified by the idea of turning keys.
Idea
did i need to switch to ageno way.
However, over the course of my career, I have found time and again that discovering new tools for your core workflow (part of the investment in the interface) is downright fun. I often learn new ways of thinking about problems. Sometimes, you leave with a new default that brings some new ideas and some happiness into your life. Other times, you walk away with your trusty old tool, with a greater appreciation for its history and hard-established approach. For my use at this time, age Definitely falls into the former camp.