Encrypt/decrypt files by using age and a public/private key stored on a Ledger device.
This app is used to manage age identity on a Ledger device.
A version of this app for Nano S Plus and Nano X is available on Ledger Live. To install it:
-
Open Ledger Live
-
Since the app is still in pre-release, you need to enable Developer mode and manually choose the right app provider.
- Go to
Settings - Enable
Developer mode - Under
My Ledger provider, choose 4
- Go to
-
With your device plugged in: go to
My Ledger, search in the app catalog forage identityand install it.
You can also compile this app locally by executing cargo ledger build <device> (with <device> being either nanosplus or nanox).
Additionally, you can load the app to your device by using Cargo Ledger. Please note that loading this app on a device without using Ledger Live is only available for Nano S Plus and requires the ledgerctl Python tool.
To do so, just execute: cargo ledger build nanosplus --load.
To use this app, you need first to:
- Install an age client (eg. winage, age or rage);
- Install the Ledger plugin for age.
There are four basic usage (illustrated here by using rage client and a Nano S Plus).
A recipient string containing public data needs to be provided in order to perform encryption.
To retrieve the recipient associated to a Ledger device, call the ledger plugin with the --list option.
➜ age-plugin-ledger --list
age1ledger1qtrtrlkyewan5wcl75zetx6wy9j8vrw4kvy388ew0estmcgcj6wsw9sle8v
To encrypt, just use your age client as you would for any other type of recipient.
➜ rage -r age1ledger1qtrtrlkyewan5wcl75zetx6wy9j8vrw4kvy388ew0estmcgcj6wsw9sle8v -e example -o example.age
Note that this step can be done without having any Ledger device, but still requires the Ledger plugin for age.
In order to decrypt a file, age clients require to provide an identity (that usually contains the private data associated with a recipient). The Ledger plugin for age uses a "stub" identity which does not contain any private data. It is used to identify the device holding the private material needed to decrypt for a given recipient.
To retrieve a stub identity associated with a Ledger device, call the ledger plugin with the --identity option.
➜ age-plugin-ledger --identity | tee id
Recipient: age1ledger1qtrtrlkyewan5wcl75zetx6wy9j8vrw4kvy388ew0estmcgcj6wsw9sle8v
# Recipient: age1ledger1qtrtrlkyewan5wcl75zetx6wy9j8vrw4kvy388ew0estmcgcj6wsw9sle8v
AGE-PLUGIN-LEDGER-1WH90T6PD06QN907ADRARJTDMR20K7K8HQQVY8RX7PSVGS5P3Q7PQLHDJXV
To decrypt, just use your age client as you would for any other type of identity.
➜ rage -d -i id -o example_decrypted example.age
