age という暗号化ツールを知りました.この age では ssh の公開鍵を使って暗号化,秘密鍵で復号化が出来るのが面白そうなので少し試してみました.
install
今回は Upstream とバージョンは同じだし Raspberry Pi OS bookworm armhf のパッケージを利用しました.
go install での導入も Go が入っていれば簡単,GitHub の releases にもいくつかのバイナリがあります.
その他各種環境にもパッケージがあるようです.
Raspberry Pi OS への age パッケージ導入
$ sudo apt install age
$ age --version
1.1.1
$ dpkg-query -W age
age 1.1.1-1+b3
$ age
Usage:
age [--encrypt] (-r RECIPIENT | -R PATH)... [--armor] [-o OUTPUT] [INPUT]
age [--encrypt] --passphrase [--armor] [-o OUTPUT] [INPUT]
age --decrypt [-i PATH]... [-o OUTPUT] [INPUT]
Options:
-e, --encrypt Encrypt the input to the output. Default if omitted.
-d, --decrypt Decrypt the input to the output.
-o, --output OUTPUT Write the result to the file at path OUTPUT.
-a, --armor Encrypt to a PEM encoded format.
-p, --passphrase Encrypt with a passphrase.
-r, --recipient RECIPIENT Encrypt to the specified RECIPIENT. Can be repeated.
-R, --recipients-file PATH Encrypt to recipients listed at PATH. Can be repeated.
-i, --identity PATH Use the identity file at PATH. Can be repeated.
INPUT defaults to standard input, and OUTPUT defaults to standard output.
If OUTPUT exists, it will be overwritten.
RECIPIENT can be an age public key generated by age-keygen ("age1...")
or an SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").
Recipient files contain one or more recipients, one per line. Empty lines
and lines starting with "#" are ignored as comments. "-" may be used to
read recipients from standard input.
Identity files contain one or more secret keys ("AGE-SECRET-KEY-1..."),
one per line, or an SSH key. Empty lines and lines starting with "#" are
ignored as comments. Passphrase encrypted age files can be used as
identity files. Multiple key files can be provided, and any unused ones
will be ignored. "-" may be used to read identities from standard input.
When --encrypt is specified explicitly, -i can also be used to encrypt to an
identity file symmetrically, instead or in addition to normal recipients.
Example:
$ age-keygen -o key.txt
Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
$ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
$ age --decrypt -i key.txt -o data.tar.gz data.tar.gz.age
age key での利用
age-keygen コマンドで age 用の鍵ペアが生成できます. public key を共有します.
鍵の生成
$ age-keygen -o key.txt Public key: age1asle7pc9uj5n3fxamxst286ejh24yv5nut0qtedmadsxdm38egvs6ez9jr $ cat key.txt # created: 2024-03-30T04:44:49+09:00 # public key: age1asle7pc9uj5n3fxamxst286ejh24yv5nut0qtedmadsxdm38egvs6ez9jr AGE-SECRET-KEY-1VZVZ0VXNSP7D3XN6X545MT7EX89S2Z7F68G6CG0RZ9WKMGN0CW4STSVM26 $ age-keygen -o key2.txt Public key: age1vz7kedcgzvzk4n4ke50wdxthll9g3muhgwlv3vz37g926frzjvvst777qe
age public key で暗号化,age secret key で復号化します.
鍵で暗号化,復号化
$ echo 'plain' > data
$ age -o data.age -r age1asle7pc9uj5n3fxamxst286ejh24yv5nut0qtedmadsxdm38egvs6ez9jr data (1)
$ age --decrypt -i key.txt -o - data.age (2)
plain
$ age -o data.age -r age1asle7pc9uj5n3fxamxst286ejh24yv5nut0qtedmadsxdm38egvs6ez9jr \
-r age1vz7kedcgzvzk4n4ke50wdxthll9g3muhgwlv3vz37g926frzjvvst777qe data (3)
$ age --decrypt -i key.txt -o - data.age (4)
plain
$ age --decrypt -i key2.txt -o - data.age (5)
plain
パスフレーズで暗号化,復号化
暗号化
$ age --passphrase -o data.age data (1) Enter passphrase (leave empty to autogenerate a secure one): Confirm passphrase: $ age --passphrase -o data.age data (2) Enter passphrase (leave empty to autogenerate a secure one): age: using autogenerated passphrase "resist-host-rabbit-rapid-choose-slender-legal-ramp-forward-scare" $ age --passphrase --armor data (3) age: using autogenerated passphrase "what-open-rifle-junior-meadow-grass-hurdle-cigar-hybrid-slide" -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCBxcGxLRjNySGliS3ZyUmUz Tm5MMnVRIDE4ClQzVUhlUmJlSGQrSmdUcU1xaEo0ZkFUcGpLWGZpUnBEbjNPbDMy WDk4ZHcKLS0tIFRic2twRVFOVkJ3a2Y3UWZ3WEdxcG5iSi9qWk5TU1UydWllVG1G NlBmMkkKh1ok+t0EGZrBXEQujdb6JQLcIGyZXcnvJrAetajKdVImFUCHXu0= -----END AGE ENCRYPTED FILE-----
- 自分で決めたパスフレーズで暗号化します
- パスフレーズを入力しないと age がパスフレーズを自動生成してくれます.
- -a/–armor オプションで PEM 形式で出力.
復号化
$ age --decrypt -o - ./data.age Enter passphrase: plain $ echo '-----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCBxcGxLRjNySGliS3ZyUmUz Tm5MMnVRIDE4ClQzVUhlUmJlSGQrSmdUcU1xaEo0ZkFUcGpLWGZpUnBEbjNPbDMy WDk4ZHcKLS0tIFRic2twRVFOVkJ3a2Y3UWZ3WEdxcG5iSi9qWk5TU1UydWllVG1G NlBmMkkKh1ok+t0EGZrBXEQujdb6JQLcIGyZXcnvJrAetajKdVImFUCHXu0= -----END AGE ENCRYPTED FILE-----' | age --decrypt -o - Enter passphrase: plain
ssh鍵で暗号化,復号化
これを試したかったのでした.
ed25519 で暗号化,復号化
$ age --armor -R ~/.ssh/id_ed25519.pub data -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGVSY0tCZyBZRUJD NUZ6OWpQWDlzK2JKbmszaVp1ak9TQ0NZWkxoM0JuRlhtTm1hNVdFCjZqV0RlRldI cjY4TDJJR1hRckxNUkw2QmoreGVoRURzRGhRYllZUjBXck0KLS0tIEJBaFVXa3J0 RHFobkVzUnRLaDZaUDVHdnpTbklHYmozQThKKzVKT3haUkEKaRkef04BHGL2sDPy B9hl8CCpgJ57fOZtLBG8tPruAz5uASNhJss= -----END AGE ENCRYPTED FILE----- $ echo '-----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGVSY0tCZyBZRUJD NUZ6OWpQWDlzK2JKbmszaVp1ak9TQ0NZWkxoM0JuRlhtTm1hNVdFCjZqV0RlRldI cjY4TDJJR1hRckxNUkw2QmoreGVoRURzRGhRYllZUjBXck0KLS0tIEJBaFVXa3J0 RHFobkVzUnRLaDZaUDVHdnpTbklHYmozQThKKzVKT3haUkEKaRkef04BHGL2sDPy B9hl8CCpgJ57fOZtLBG8tPruAz5uASNhJss= -----END AGE ENCRYPTED FILE-----' | age -d -i ~/.ssh/id_ed25519 plain
RSA で暗号化
$ echo 'plain' | age --armor -R ./rsa1024.pub age: warning: recipients file "./rsa1024.pub": ignoring unsupported SSH key of type "ssh-rsa" at line 1 age: error: failed to parse recipient file "./rsa1024.pub": "./rsa1024.pub": no recipients found age: report unexpected or unhelpful errors at https://filippo.io/age/report $ echo 'plain' | age --armor -R ./rsa2048.pub -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgNXd4UUtBCmxZY2ZKczFr MkJ1akc2Y3JkUHQyN0JaRU1RTnN4NHFydjBwZE4vUml4d0JnZ0VQYnVxRUhXRFpx WkRCOWxpSG4KTnUzZCsvNmFGSnM0MzNkdEpSRWVyUEl1VVgxOHR3NFd6alJMMUlH Q3VYbTZDTDdYNUxoeTdnbE8zNlI5eWpCawpPMTVRZXhoTGNVWHRhRngybkVHVmxE QXVTRFJKOEFIVFQwWXFFZHRrdmU4UVhiV0lwbFVtQ0Vzb1ZzTnlBNXc5CjN4VW02 a21MZGxxRmhtY1pOZ1NsQjlBS0RmL1o3M0xNZ0RVQXRXS3pVSDVXS1UramQ5V3Nv NWhSZDBaYjhlSWkKTVUzM1dEZzltcWU3SEpPMGV6eG5ucHFqUGZDRWZ0eDNQNTUy RmZxdHdXUzBZamlrLzNFaGdWajVTeXZBREF1VwpFN2x4S0VnR0N6WmIxeXFuTjUr bGFnCi0tLSAzaytQQktGcHA4dG9OZjhGbGNZY2g1ZktUaHRsemxoNUNxeW9YTkVD Q2NJCnEqtAa7v2TJGtQWC2CglKZ9YeX698uiW90pBq13wqwxFxe26eUb $ echo 'plain' | age --armor -R ./rsa3072.pub -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgZFNIbVJ3CmxTaERheUlS RDJ2dE8wVXZrWDRKMStQYkl4SW5RVExYUWlLTHcxVjRFRVBSWEVnQk81TThVaG5u QWZRYS9vVlQKZHppT25RYnZKaUFSbm5sSVhMZUVMTG1Fc2FPTUl4aFQvdmVEeXBG b1dDQ1loMEdYM0QyKzNIN2V6eStlbkQ2ZQpFeVJJeFovd3FzUzZSS3pNMG9YeEtp Qm0rYitkeWFIR2N2T05tMHB0RW5TTWRvelBmOXdpN0tjVlhZUS8xWGxJClJBMjk3 WDV5d3BBaFdWbWtFcjIyWHhHMy93cmsrUTd3cGdwaTAzMTN4M3RaQ0o5cUN3TzRw cklrTGpVUVBRSE4KNnA4MHhvMVJ6LzduM0JHaTNKNFZKRURuSjhZNldoV1h2N3Qw bTRMZ0xqaVkvOVJVR004a3A1bU9JSU9pK0ErKwpKdmtVcEphWk9zbzJ1eHdOV0k0 RXpBYm9jY3RneDNJSm9mcWQ4SzY5bERxUjV0bWhCRFB5K210M29VL1ZKVGwvCmo1 eHQ4eFRIaDVFTVBaMnRlbkFGLzNZWFA4NVpWVlloVUc1YnlrdUFRSTJqRXdGR3Vl NkFWTjlyR05DQUxlMVcKN0xaQTA2bENBY09pZHNtL0dCcU5QVmFDQVVsNUI2eHlH dUYyTkc2QXRZN0k1WUZXTHV3UGxPWDgvdlJoNnE4NgoKLS0tICtSSUV0bnRRSjU1 TUY3cjRJM3ZYV0x6ZXpLbXFnaEttYTZhY01nZzEzd28KLJcw48jawhSaZm1BZ7a1 Qm0770UO7troZcvViUfFJzHSXQsE4n4= -----END AGE ENCRYPTED FILE----- $ echo 'plain' | age --armor -R ./rsa4096.pub -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2Egc0tyUVpRCnluWk1qUFdI S2w3c3hmK0ZyMmcvUmZVWUpKejF0RTlSalVzKzQ1QkpCMklHUjlCcGJIeGFKSVNv UVdSa2pRbnkKQm5OWHlocEUyQjZYZjRJanVkN2YyMWJKaThwd0hEWkkwQURnWUVF bkxnR2ZSTktRRDdEWHZaYTVuVSsvYUY1UQpCa3lMdURsamhWdm52RE0yaE53QUxX WnVaRWdPRExnL2lIYSs4SE9YZUlNTldidG5QTC9XQU1IUll2NTQ0RzBjCjJnL0lC emtTdDlaNlpQM1JEbHRDdnROWmV3VTNpMDRxcDdabVU3bU5xODg4eUJ3dWZwYnpG QWtnbWlzc3RVV2IKZkVnSmQyZ2pOaXluYmFhMllvZ0tKNzcwS3FBWlJtS29LNGYx Y3dxSFV4UHZpcmJleHFFNXI5ekUxQzNlYzdIWgpackFqemdMV1JjRjdnY3RBTTky bDlXVDVrQktjZkszQk12L3hlSDhHTllIdkVIS2FERUtCbWgyaUNad0NuRjRCCjZK SUYxYXkyNE1oKzN5VUZ0a1VVQjRnOVBLRUF4VU0yOFJUcEtUZDU2OHFDT2djekxO Y3o4eGhQay9vNnlMRDUKVm14KzlrS1hOU1JrYTVHYjBwZWZzYXVsNHhPMEY5bTJ4 ZWZZQW5LVVQxRjVBUUQ4eDBEbDNkRTFFTGNvL21Kcgp5YkkxR3FrMTJQdnA3MFFl ckgvZjBvT3I2WlZ6Q1ZuM3JFeGczTXFwU3FCV3FWbVIrTk1sL0RSWEZwL2Q4NC9m CjlDZUJ2NXZnQU5BUUNrVzdPODM1WUxFTzVrT3Q1VGZISThtSzJPb2xvVnU0R2g0 TlY5RmJnbWhJbnU3TGMvTHoKVEt1OUZwR1UvNlFEVmRnWHZvay8wSGhnZWgrcnRN ZWZsRHd5YnlCS0ovNAotLS0gYWQ4WXBodENuNDBKVVkwK3c5YnpSeG5OdndCRWph eW5aU1QvekRLWlhkdwpjWnxdCQrEjd0NbP2ed0AFRLYH94R8EQTGEyYDMwEuzhsk M8fb2A== -----END AGE ENCRYPTED FILE-----
RSA1024 だとエラーとなりました.現在 RSA は 3072 が規定値だったと思うので鍵帳の短い 1024 は足切りされているのかもしれないですね.
複数の鍵で暗号化
$ echo 'plain' | age --armor -R ./rsa2048.pub -R ./rsa3072.pub -R ./rsa4096.pub -R ~/.ssh/id_ed25519.pub -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgNXd4UUtBCjFaajdDV3hh dXRuNkNNRVpRTUJ2ZDI0ZkRObGdCRmpydlZNUDAzSjhXbGdsWXJZa1lyWnFzSFlo bXFJbjNpSFYKcHZrWisyek1MWjZvVlJtV3djUEY1ei82bVFISzdwYm96a2FYeXRR amdxTEhjWllCcGJsSytQN3ZWay82clZEZwp4bG5HSmVGNEFFVW5xMEx4UXhlT3A0 eHBONUhkbU1qRnRPUUFoR3BldzVhamFrc0xBWVp4Y001bUdqNGROT0dmCkhOUCtF TytsbXRTU1Exait5bG9DRVR4ZjRTT3owY01JTGRyOUN4eWFnd0hmTDlOenlWRE12 a0ZrM2E4NkFweTEKMEZvZ3h2TzdOZlJ5YnVpYm1yOXFIUkV2MXI0QnZtT1VMTFRT Z2JDOGI4VGpYRVROb3J1TzAvd2xYTHozSVdhOQoyMVFQNHBxb3AzaUQwa0hqeE5C bEF3Ci0+IHNzaC1yc2EgZFNIbVJ3Cm9KcEoyZndZK0JCakFURWl2eUt4dHNqdExy K0dzNkRpUXF1U0dJSXFIMlFWOFhGcGtkNFRXd1BuVGJBSmZhNkgKNjZZZStZZFFi Wko2dXFkQ2hKMHVIcWV0ekVaeUhBOTJoSnZUWnFacmVFczE4UnllZnp4cXZCQWE4 ckdFNU5nbQpNaXB4eHhaUG1vWE5HQ2xoRkF5amVPL3kvaUlPL0h6ZVNtL05lV2VK OGdkVmpGZjVSNVNOZ1NsbEc1b0NBODFlCkNQTTFWb3orNC9WVWdadThFN3YwUTNr YXNCaDZ5KzBSckJpeEdZWllYMml0RmFpTWNZc3FEbHhXaUM0YTU1emMKbXRvQzh2 UG1lM1FWYzRreDJINGY1MEV0cnArTzdMaklVS1VWRE5haWV0UzlFOG9CN3U0dFNu MU0vVFpYVXRoNwp5aHRDc2ZoWWVBeGZwWTlyQ2ZIVjcxczZ1ajJoVy93dDFlVWsy NlF0ZEFCTHlBNTk1YlhTNmtKY1RPZ2tqZU94CjJkT3REWTRTZFZuR0pneDNtZjND UXVjMWRqeCtVODZEb2J6bkgxWm4ycGRxQWI0amVqdXNFdnJtdkFlZmZMUFYKdlVT ekhlK1hQSFRuRFBmV09JWTUrSS9VNnQ5RTY2T0dEeG9ONVVXdFRVY0g1ZmdqTStR NDRUc21LQXhyK0dNbQoKLT4gc3NoLXJzYSBzS3JRWlEKc2FIQ20zUmRQYmhrRTlO bjF0V2lKZXhFWXVNcVJmdk5jNXhMaDdkdGZWcGc4WVVBbGdGZGhTM0dLSFpkbWlP SAo4aEl6U2xRTXhTTFUzTzhsWThtbngwZUl6VGQ1Z09IKzJWK29XNzNOL2ZMaEc4 WkdxUkI0cXVHaS9IT0NTS3M0Ci8vYjJDczQrUzdaSmxrU0ZsOFU4VUk0Nzh3eHh6 elYzOWJVaUxNbjM3cGRTdkd5Vlc3YWtHUjRiWDNoYU83WGYKNklxMkZCanBMZ0N5 b2ZvN3VwZkNLcUxTM0FVNU1TMmczSFR1Nm9HMHJQdlIyemxwNWNjVktIWlRnSks2 VWlwVAoyR3VQZmJCTGJSQ2xGemRWM1lUbmFhcFpmNE5ITmdjUFZZNTFaMW9ZcCtp Q0V6ajFwbjEyTkZvT3JRZ3NCK011Cm9EOFcyQTNBT2pOVk5mZDU1cFQ3TFE5MnNK eEVxWE1uMUNadkhMTVZVcUdBRythZmJnVG81ZG93YlE4K2JLWkYKbTgrTmVOSTEx RWRqTXdRRDlmRjBrNUJpenZoenU0NnNzVmlxMmZKVERqTDdoZnlUZUNVaUxZNE91 RHNsK2NmawpacUVZdU9sdUJEWE83Z1FYYnhFQU5pMlZQVVhiV2hDbzBhM0YwOFZ5 Ny9EclZLK29XTUJ3K25ldDV2dTZpVlgxCkxsN3ZMRjVJekZ2aXl6UnFaSXpoYzUr QWRQR0VjOUZPSnpnMk1uL0k4SW11VHdheW1xN25yR3VYbGNoNW9LTUkKUXNXVGFJ c3dXY0hxaURhSEllN1o0Rm9nQnZlck53V0R5YTdDYWltTURSbHBGc0JFTUZkL1hz MXRqTUNVNUs5MQoxNnFxN1AxenhYUFZnb0hMRDlnaWY3VmRCd0NnZk44UVNpb2Zk RUZ4U1Y4Ci0+IHNzaC1lZDI1NTE5IGVSY0tCZyBSNml6R2pvQnV6WWV2WmFHaFo5 L0hTSFl5Y1h4S1lBNkFSZjNod29TV1dnCnhpVGNIVW44dnNrZlJyWWZxUGhsVGY1 TlMyR0tkcjUxTnI3NStaL2UwM1kKLS0tIFg3VEg5MGNCZnJBNmU0NXUza1d1aVlM cmk0eXVab1RmTzhVTTZid1ZWclUKe1wXH51zJI3GYYwGVPhoXDcuV8vBZIcvGPQz 5pSAkRa/YrHMrfk= -----END AGE ENCRYPTED FILE-----
RSA, ED25519 両方を含む複数の鍵で暗号化も問題なかったです.(紙幅をとるのでここには載せませんがそれぞれの鍵で復号も大丈夫でした.)
age 作者の鍵を入手して暗号化……失敗
$ wget https://github.com/FiloSottile.keys $ age -a -R ./FiloSottile.keys data age: warning: recipients file "./FiloSottile.keys": ignoring unsupported SSH key of type "ecdsa-sha2-nistp256" at line 1 age: error: failed to parse recipient file "./FiloSottile.keys": "./FiloSottile.keys": no recipients found age: report unexpected or unhelpful errors at https://filippo.io/age/report $ dd if=FiloSottile.keys bs=20 count=1 2>/dev/null; echo ecdsa-sha2-nistp256
GitHub から age 作者の鍵をダウンロードして暗号化しようとしましたが,公開されている鍵形式が ed25519-sk のようで age に対応していない鍵だったので暗号化出来ませんでした.
|
Note
|
鍵の入手例
|
GPG を公開していない人で GitHub などで SSH鍵を公開している人は結構居る気がするので SSH鍵で暗号化,復号化ができると便利そうです.
openssl でも出来るし導入された環境も多いと思いますがコマンドが煩雑,age だと利用が簡単なので普及すれば便利そうです.
環境
$ dpkg-query -W age openssh-client openssl age 1.1.1-1+b3 openssh-client 1:9.2p1-2+deb12u2 openssl 3.0.11-1~deb12u2+rpt1 $ lsb_release -a No LSB modules are available. Distributor ID: Raspbian Description: Raspbian GNU/Linux 12 (bookworm) Release: 12 Codename: bookworm $ arch armv7l $ cat /proc/device-tree/model ;echo Raspberry Pi 3 Model B Rev 1.2