Passphrase can't be combined with recipient

[mykhal]

Currently, passphrase is obviously intended mainly for privkey storage encryption with scrypt, and cannot be combined with recipient key.

I understand there's a "passphrase distribution" problem (also some usability problem), however, the peers might already have prenegotiated some. It would be nice if age had a feature similar to wireguard PSK. (From normal user standpoint, it might not be clear why recipient + passphrase combination is "forbidden", it should maybe be just discouraged.)

[mykhal]

(Sorry for accidental closing, acute slight sleep/coffe insufficiency. DELME.)

[alerque]

Excuse me if I'm not understanding your use case, but wouldn't that just be encrypting the same thing twice? Or are you expecting a multiple-recipients type feature that allows either the passphrase or recipient's key to unlock?

[mykhal]

Could be said a) "encrypting twice"; I was meaning additional layer of security with secret "symmetric key" (derived from passphrase, or set directly), for the same single recipient, but maybe different per file/message, if it's useful to do so.

[mykhal]

.. I've already mentioned WireGuard, which has optional PresharedKey in addition to PublicKey

# wg
interface: wg0
  public key: TPgxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFlo=
  private key: (hidden)
  ...

peer: dXKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxqkc=
  allowed ips: xxx.xxx.xxx.xxx/32
  ...

peer: jOWxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxlDM=
  preshared key: (hidden)
  allowed ips: xxx.xxx.xxx.xxx/32
  ...

...

[FiloSottile]

The reason it's forbidden is that different users would have different expectations about how it works, dangerously so: normally, encrypting to multiple recipients allows any of them to decrypt, so the most straightforward implementation would allow decrypting with either the passphrase or the key; instead, you reasonably expect both to be required.

Confusion in security UX is dangerous, so we chose to not allow the combination at all. It's clunkier and less efficient, but you can still encrypt twice, and then it's very clear how it's going to work.