Add age-seed-keygen CLI tool
Generates and recovers age X25519 identity keys from a BIP39 24-word mnemonic. Uses 256 bits of entropy mapped directly to an X25519 private key, encoded in the standard age identity file format (AGE-SECRET-KEY-1…). Commands: generate — create a new age identity and print the 24-word mnemonic recover — reconstruct the exact same identity from the mnemonic Dependencies: bech32, cryptography, mnemonic. Setup via setup.sh.
This commit is contained in:
@@ -0,0 +1,73 @@
|
||||
# age-seed-keygen
|
||||
|
||||
An age identity generator with a BIP39 recovery phrase. Every key comes with 24 words you can write down — lose the file, say the words, get it back.
|
||||
|
||||
## The idea
|
||||
|
||||
age X25519 identity keys are 32 random bytes. BIP39 is a standard for encoding random bytes as human-readable words (the same standard hardware wallets use). This tool generates 256 bits of entropy, turns it into both an age identity and a 24-word mnemonic, and gives you both. Recovery is the reverse — give back the 24 words, get back the exact same identity.
|
||||
|
||||
If you already use `ssh-seed-keygen`, you can back up both an SSH key and an age identity from a single mnemonic — or keep them separate. Either way, one piece of paper is all you need.
|
||||
|
||||
## Getting started
|
||||
|
||||
```bash
|
||||
bash setup.sh
|
||||
```
|
||||
|
||||
Creates a virtualenv and installs the three dependencies.
|
||||
|
||||
## Generating an identity
|
||||
|
||||
```bash
|
||||
.venv/bin/python keygen.py generate
|
||||
```
|
||||
|
||||
Writes the identity file to `~/.config/age/key.txt` by default, then prints your 24 words. Write them down somewhere offline.
|
||||
|
||||
```bash
|
||||
# different output path
|
||||
.venv/bin/python keygen.py generate -o ~/my-age-key.txt
|
||||
```
|
||||
|
||||
## Recovering an identity
|
||||
|
||||
```bash
|
||||
# pass the words directly
|
||||
.venv/bin/python keygen.py recover word1 word2 ... word24
|
||||
|
||||
# or run it and paste when prompted
|
||||
.venv/bin/python keygen.py recover
|
||||
```
|
||||
|
||||
Same `-o` flag applies if you want the recovered file somewhere other than the default path.
|
||||
|
||||
## Using the identity
|
||||
|
||||
The output file is a standard age identity file — it works directly with the `age` CLI:
|
||||
|
||||
```bash
|
||||
# encrypt a file
|
||||
age -r age1<your-public-key> secret.txt > secret.txt.age
|
||||
|
||||
# decrypt using the identity file
|
||||
age --decrypt -i ~/.config/age/key.txt secret.txt.age > secret.txt
|
||||
```
|
||||
|
||||
## Protecting the identity file
|
||||
|
||||
The identity file is written with mode `0600`. If you want to encrypt it at rest, use age itself:
|
||||
|
||||
```bash
|
||||
age --passphrase -o key.txt.age ~/.config/age/key.txt
|
||||
rm ~/.config/age/key.txt
|
||||
```
|
||||
|
||||
Decrypt before use:
|
||||
|
||||
```bash
|
||||
age --decrypt key.txt.age > ~/.config/age/key.txt
|
||||
```
|
||||
|
||||
## One thing to keep in mind
|
||||
|
||||
The mnemonic encodes the private key directly. Anyone with those 24 words has your identity. Treat them at least as carefully as the key file itself.
|
||||
Reference in New Issue
Block a user