jakobhusu/age-seed-keygen
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f1889629f674d372765c7fb9400f07864f222cb
age-seed-keygen/README.md
T
jakobhusu 1f1889629f Add age-seed-keygen CLI tool 
Generates and recovers age X25519 identity keys from a BIP39 24-word
mnemonic. Uses 256 bits of entropy mapped directly to an X25519 private
key, encoded in the standard age identity file format (AGE-SECRET-KEY-1…).

Commands:
  generate  — create a new age identity and print the 24-word mnemonic
  recover   — reconstruct the exact same identity from the mnemonic

Dependencies: bech32, cryptography, mnemonic. Setup via setup.sh.
2026-05-20 15:55:53 +02:00

74 lines
2.2 KiB
Markdown
Raw Blame History

# age-seed-keygen
An age identity generator with a BIP39 recovery phrase. Every key comes with 24 words you can write down — lose the file, say the words, get it back.
## The idea
age X25519 identity keys are 32 random bytes. BIP39 is a standard for encoding random bytes as human-readable words (the same standard hardware wallets use). This tool generates 256 bits of entropy, turns it into both an age identity and a 24-word mnemonic, and gives you both. Recovery is the reverse — give back the 24 words, get back the exact same identity.
If you already use `ssh-seed-keygen`, you can back up both an SSH key and an age identity from a single mnemonic — or keep them separate. Either way, one piece of paper is all you need.
## Getting started
```bash
bash setup.sh
```
Creates a virtualenv and installs the three dependencies.
## Generating an identity
```bash
.venv/bin/python keygen.py generate
```
Writes the identity file to `~/.config/age/key.txt` by default, then prints your 24 words. Write them down somewhere offline.
```bash
# different output path
.venv/bin/python keygen.py generate -o ~/my-age-key.txt
```
## Recovering an identity
```bash
# pass the words directly
.venv/bin/python keygen.py recover word1 word2 ... word24
# or run it and paste when prompted
.venv/bin/python keygen.py recover
```
Same `-o` flag applies if you want the recovered file somewhere other than the default path.
## Using the identity
The output file is a standard age identity file — it works directly with the `age` CLI:
```bash
# encrypt a file
age -r age1<your-public-key> secret.txt > secret.txt.age
# decrypt using the identity file
age --decrypt -i ~/.config/age/key.txt secret.txt.age > secret.txt
```
## Protecting the identity file
The identity file is written with mode `0600`. If you want to encrypt it at rest, use age itself:
```bash
age --passphrase -o key.txt.age ~/.config/age/key.txt
rm ~/.config/age/key.txt
```
Decrypt before use:
```bash
age --decrypt key.txt.age > ~/.config/age/key.txt
```
## One thing to keep in mind
The mnemonic encodes the private key directly. Anyone with those 24 words has your identity. Treat them at least as carefully as the key file itself.
Reference in New Issue View Git Blame Copy Permalink