agec

age encrypt. Yet another attempt to store, manage and share secrets in git repository based on age.

Background

There’s plenty of mature solutions for this, sops, git-crypt, blackbox, agebox, git-agecrypt. I was frustrated with the way it all worked. I wanted something with

  • Simple workflow, simple encryption with just SSH keys
  • Better shell experience
    • Shell completions (bash, zsh, fish)
    • Invoke command from any subdirectory
  • Mechanism to share secrets to limited users/groups in repository.

agec is basically just a small wrapper around age.

Installation

Download binary from releases

Linux

curl -s -L "https://github.com/aca/agec/releases/download/v0.1.0/agec_0.1.0_linux_amd64.tar.gz" | tar xvz agec
sudo mv agec /usr/local/bin

Darwin

curl -s -L "https://github.com/aca/agec/releases/download/v0.1.0/agec_0.1.0_darwin_all.tar.gz" | tar xvz agec
sudo mv agec /usr/local/bin

or build from source, agec requires go >= 1.18

go install github.com/aca/[email protected]

Shell completions require additional setup, supports bash/zsh/fish

agec completion [SHELL] --help

Example workflow

Change “aca” with your github id. This example will use public keys registered in github for encryption.

Clone repository, examples/ will be the root directory to test agec. Or just start from any directory with agec init.

git clone https://github.com/aca/agec.git
cd agec/examples

Add yourself as a user and member of existing group admin, with public keys from github

curl -s "https://github.com/aca.keys" | agec useradd aca -g admin -R -

Agec have concept of ‘user’, ‘group’. You can check it in root configuration.

cat .agec.yaml

Create encrypted file that can be decrypted by only “aca” or members of group admin

agec encrypt secret.txt -u aca -g admin

decrypt file, it will try to decrypt file with keys in ~/.ssh by default.

agec decrypt secret.txt.age

edit files

chown updates secret to be encrypted with public keys of user:james instead of user:aca+group:admin

agec chown -u james -g '' secret.txt

Re-encrypt it, but you won’t be able to decrypt the secret

agec encrypt secret.txt
agec decrypt secret.txt.age # fail

Try to decrypt it with james’s private key

agec decrypt secret.txt.age -i james.agekey # success

List of available commands, and detailed usage.

agec --help
agec [command] --help

GitHub

View Github