Decrypt not working with my setup

[orolhawion]

Environment

• OS: MacOS 11 (Big Sur)
• age version: 1.0.0.rc1

What were you trying to do

I tried to decrypt a previously encrypted txt file.

What happened

An error was displayed: Error: no identity matched any of the recipients

More Details

I might explain my setup which may be the issue itself:

For encryption I derived the ssh public key from my pgp key (RSA4096) which is located on my YubiKey 5, hence I do not have a private key file on the file system as the doc suggests.

I read that ssh-agent is not supported, however I am running gpg-agent, which also may not be supported. I just thought I would have a use case here.

Could be related to #137

$ age -R ~/.ssh/id_rsa.pub plain.txt > plain.txt.age

$ cat plain.txt.age 
age-encryption.org/v1
-> ssh-rsa 7nXROQ
[...]
--- Nsc+ERH0H8DWzgNYMCxRdndI1KBX9+sFMsRUO7JKEB4
σ????
V??v\?'A??ۡ>Iv??? ?%                                                                                                                                                                                                                                                                                                                          

$ age -d plain.txt.age > plain.txt.age.decrypted
Error: no identity matched any of the recipients
[ Did age not do what you expected? Could an error be more useful? Tell us: https://filippo.io/age/report ]

[FiloSottile]

For encryption I derived the ssh public key from my pgp key (RSA4096) which is located on my YubiKey 5, hence I do not have a private key file on the file system as the doc suggests.

Yeah unfortunately SSH keys are only supported when available as a file. It's technically impossible to support them through the standard ssh-agent protocol. It might technically be possible to bypass the ssh-agent and use gpg-agent to do a decryption with the authentication key, if the OpenPGP applet allows that. However, we'd rather make the YubiKey plugin work very well and recommend using that rather than SSH keys for YubiKey compatibility.

[kfken]

Yeah unfortunately SSH keys are only supported when available as a file. It's technically impossible to support them through the standard ssh-agent protocol. It might technically be possible to bypass the ssh-agent and use gpg-agent to do a decryption with the authentication key, if the OpenPGP applet allows that. However, we'd rather make the YubiKey plugin work very well and recommend using that rather than SSH keys for YubiKey compatibility.

Is the yubikey plugin working and ready to use? Or is that still in development?

[FiloSottile]

Still in development but the spec should be close to done.

[supermarin]

However, we'd rather make the YubiKey plugin work very well and recommend using that rather than SSH keys for YubiKey compatibility.

@FiloSottile does this imply the YubiKey plugin will require a hardware key?
i.e. no keychain / other agent based support is planned for password protected, digital keys?

This is the only usability feature that's stopping me from completely moving away from gpg.

[FiloSottile]

Not as part of the YubiKey plugin, but we are thinking about encrypted keys and agents plugins. The plugin protocol is designed specifically with that in mind.

[Ciantic]

Is there an issue we could follow? I periodically check the README of age for this line:

SSH keys held on YubiKeys can't be used to decrypt files.

Until that is fixed, I have to naturally use GPG, because I'm not storing my private keys as a file to decrypt stuff.

Btw, it would be handy to mention that this is being worked on, and it's not impossible in practice.

[str4d]

The age-plugin-yubikey plugin is now in beta (you may need to use it with rage, as I'm not sure age has merged plugin support yet). It stores native age identities in the PIV applet of the YubiKey.