Inspect encrypted file details #56
Comments
|
Disclaimer: I am not a cryptographer, so maybe I misunderstood the spec. Looking at the spec, I think it's impossible to do this. The best that could be done is to tell how many recipients there are, but is this really useful? For example: The spec says, that an age reciepient (X25519) stanza is composed like this: You can see that the public key is only used (after some transformation) to encrypt the file key. I think it is thus impossible to get back the public key from that. It's probably (I'm not sure) even impossible to tell if the file was encrypted for a given public key. I would guess, that this is an intended security feature: No third party should be able to tell for whom a file was encrypted. |
|
We can't print what recipients a file is encrypted to, but there should be a way to get a text/JSON output with number and types of recipients, header version, and file size. It would work for both armored and binary files. |
FiloSottile
changed the title
|
It would be nice to be able to find the file size, at least in the Go API, without needing to read the full file. I would like to decrypt a file and stream the raw file out, but use content length=N prefix. It seems like this should be possible by reading the header and knowing the encrypted file size. |
|
While writing another client for age, I've encountered another application for something like this: If a user tries to decrypt an age file with a password, that was not encrypted with a password, the error from the age library tells the user that the password was wrong. If the age library gave me some way to see if |
What were you trying to do
Identify file's recipients, or at least how many recipients there are.
What happened
I created an ascii armored encrypted file.
agegives no way to list its recipients, as it does in the binary format (excluding some bash magic relying on the knowledge that the PEM uses base64).As a matter of fact, a pretty listing of recipients would also be useful for non-armored files, if it could present the files in the same format as originially (e.g. to visually match/grep ssh pubkey to one of the files in ~/.ssh/id_rsa). And be a good follow up for the error message "Error: no identity matched a recipient".
Side note - confusing feature set of beta
By browsing this repo's issues, the mailing list and the age specification, I encountered various potential methods of storing the keys and specifying recipients (the
~/.config/age/keys.txtpath, recipient's github username, providing https url of the keys). None of them seemed to work. It would be nice for the repo's readme to be more explicit about which parts are NOT implemented in the current version.The text was updated successfully, but these errors were encountered: