agec
age encrypt. Yet another attempt to store, manage and share secrets in git repository based on age.
Background
There’s plenty of mature solutions for this, sops, git-crypt, blackbox, agebox, git-agecrypt. I was frustrated with the way it all worked. I wanted something with
- Simple workflow, simple encryption with just SSH keys
- Better shell experience
- Shell completions (bash, zsh, fish)
- Invoke command from any subdirectory
- Mechanism to share secrets to limited users/groups in repository.
agec is basically just a small wrapper around age.
Installation
Download binary from releases
Linux
curl -s -L "https://github.com/aca/agec/releases/download/v0.1.0/agec_0.1.0_linux_amd64.tar.gz" | tar xvz agec
sudo mv agec /usr/local/bin
Darwin
curl -s -L "https://github.com/aca/agec/releases/download/v0.1.0/agec_0.1.0_darwin_all.tar.gz" | tar xvz agec
sudo mv agec /usr/local/bin
or build from source, agec requires go >= 1.18
go install github.com/aca/[email protected]
Shell completions require additional setup, supports bash/zsh/fish
agec completion [SHELL] --help
Example workflow
Change “aca” with your github id. This example will use public keys registered in github for encryption.
Clone repository, examples/ will be the root directory to test agec.
Or just start from any directory with agec init.
git clone https://github.com/aca/agec.git
cd agec/examples
Add yourself as a user and member of existing group admin, with public keys from github
curl -s "https://github.com/aca.keys" | agec useradd aca -g admin -R -
Agec have concept of ‘user’, ‘group’. You can check it in root configuration.
cat .agec.yaml
Create encrypted file that can be decrypted by only “aca” or members of group admin
agec encrypt secret.txt -u aca -g admin
decrypt file, it will try to decrypt file with keys in ~/.ssh by default.
agec decrypt secret.txt.age
edit files
chown updates secret to be encrypted with public keys of user:james instead of user:aca+group:admin
agec chown -u james -g '' secret.txt
Re-encrypt it, but you won’t be able to decrypt the secret
agec encrypt secret.txt
agec decrypt secret.txt.age # fail
Try to decrypt it with james’s private key
agec decrypt secret.txt.age -i james.agekey # success
List of available commands, and detailed usage.
agec --help
agec [command] --help
