Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can't pass password via stdin during decrypt #603

Open
rdslw opened this issue Nov 26, 2024 · 4 comments
Open

can't pass password via stdin during decrypt #603

rdslw opened this issue Nov 26, 2024 · 4 comments

Comments

@rdslw
Copy link

rdslw commented Nov 26, 2024

Environment

  • OS: Linux 6.9.11
  • age version: 1.2.0

PROBLEM

Currently (afaik) it's not possible to pass passphrase to age via stdin, like:
echo -n "$passphrase" | age -d -o output_file input_file

Here, age knows that stdin is NOT used for data, because I specified input file explicitly.

This also does not work with:
some_cli_password_manager | age -d -i - -o output_file input_file

Rationale:

  1. passphrase is eventually read from stdin
  2. sometimes you must use passswords (can't use keys) in script & automation
  3. most cli tools allows it (cryptsetup etc.)
  4. also Reading pasted armored input from a terminal clashes with password prompt #364
@Gunni
Copy link

Gunni commented Feb 20, 2025
edited
Loading

what if you pass it in like age ... <(echo -n "$passphrase") ...? Note that I didn't test, just aware of that shell feature.

@rdslw
Copy link
Author

rdslw commented Feb 21, 2025

what if you pass it in like age ... <(echo -n "$passphrase") ...? Note that I didn't test, just aware of that shell feature.

Any method which is using stdin (like <( cmd ) here) will not work, due to the age not supporting passphrase via stdin during decryption. This is what I'm actually asking for :)

@Gunni
Copy link

Gunni commented Feb 21, 2025

But the command I provided does not use stdin? It makes a pipe kind of file and returns the path to it to the command.

@rdslw
Copy link
Author

rdslw commented Feb 21, 2025

But the command I provided does not use stdin? It makes a pipe kind of file and returns the path to it to the command.

That will not work because age --decrypt does not take passphrase as an command line argument (see below age --help).

The problem is that INPUT may (but not must) be used by age for content of encrypt/decrypt operation, hence age must distinguish such mode (content on stdin) from password on stdin scenario, in two ways:

  • either implictly (user provided input as filename) hence if stdin is attached it must be key/passphrase material,
  • either explicitly (by using some kind of option plus stdin).
$ age --help  
Usage:
    age [--encrypt] (-r RECIPIENT | -R PATH)... [--armor] [-o OUTPUT] [INPUT]
    age [--encrypt] --passphrase [--armor] [-o OUTPUT] [INPUT]
    age --decrypt [-i PATH]... [-o OUTPUT] [INPUT]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Gunni @rdslw