Maybe we also need --age-recipient and --age-recipient-file for chezmoi edit

[yilinfang]

Thank you so much for the new features --age-recipient and --age-recipient-file for chezmoi add, which greatly improve the ability to control sensitive data encryption granularity.

However, there is a minor issue with chezmoi edit. When editing an encrypted file, it does not respect the original recipients specified during chezmoi add and instead encrypts the file with multiple recipients defined in the configuration file.

Following are steps to reproduce.

0. Chezmoi setup is following.

root@e68b1c737f58:~/.local/share/chezmoi# chezmoi --version
chezmoi version v2.64.0, commit 9b1def1eff7c581272ffeb7f707e7af80ec434b1, built at 2025-08-06T20:36:27Z, built by goreleaser
root@e68b1c737f58:~/.local/share/chezmoi# age --version
v1.2.1
root@e68b1c737f58:~/.local/share/chezmoi# cat ~/.config/chezmoi/chezmoi.toml
encryption = "age"
[age]
identities = ["~/.age/key1.txt", "~/.age/key2.txt"]
recipientsFiles = ["~/.age/key1_pub.txt", "~/.age/key2_pub.txt"]

1. Add ~/test.txt with --age-recipient-file ~/.age/key2_pub.txt.

root@e68b1c737f58:~/.local/share/chezmoi# chezmoi add --encrypt --age-recipient-file ~/.age/key2_pub.txt ~/test.txt
root@e68b1c737f58:~/.local/share/chezmoi# age -d -i ~/.age/key1.txt ./encrypted_test.txt.age
age: error: no identity matched any of the recipients
age: report unexpected or unhelpful errors at https://filippo.io/age/report
root@e68b1c737f58:~/.local/share/chezmoi# age -d -i ~/.age/key2.txt ./encrypted_test.txt.age
test

It can be decrypted with ~/.age/key2.txt but not ~/.age/key1.txt, as expected.

2. Run chezmoi edit ~/test.txt.

root@e68b1c737f58:~/.local/share/chezmoi# chezmoi edit ~/test.txt
root@e68b1c737f58:~/.local/share/chezmoi# age -d -i ~/.age/key1.txt ./encrypted_test.txt.age
test
test
root@e68b1c737f58:~/.local/share/chezmoi# age -d -i ~/.age/key2.txt ./encrypted_test.txt.age
test
test

After running chezmoi edit, the file can be decrypted with both ~/.age/key1.txt and ~/.age/key2.txt. It seems that it is encrypted with multiple recipients, including ~/.age/key1_pub.txt, which was not specified during chezmoi add.

This is a minor issue since we could use chezmoi forget and chezmoi add instead, but it would be much convenient if we could also have --age-recipient and --age-recipient-file for chezmoi edit.

Thank you again for the awesome software!

[twpayne]

Yup, this makes total sense. I'll promote --age-recipient and --age-recipient-file to global flags so they apply to all commands.

[twpayne]

I've created #4595 to implement this. @yilinfang would you be able to test this?

[yilinfang]

No problem!