Age is built in to chezmoi, but I cannot generate a keyfile using chezmoi's built-in age

[foobl42]

Chezmoi comes with built-in age. However, to my knowledge, doesn't come packaged with an equivalent way to generate a keyfile. Would it be possible to wrap age-keygen into chezmoi's age command in some way, to enable the ability to utilize age encryption without having to download/install the actual age package?

[foobl42]

Also, age-keygen with a -y option allows you to be able to extract the public key (recipient) from a supplied identity file. I use this option to simply pull in the recipient rather than use chezmoi to prompt the user for that info. So, without chezmoi supplying access to age-keygen functionality (similar to how it provides access to "git"), I have to then include the full age package as a dependency. Hope this makes sense. Please let me know if you have any thoughts on this as a potential addition.

[twpayne]

Yup, this makes sense. I've implemented it in #4607. Would you be able to test this?

[foobl42]

Sure thing. Thanks much! I'll let you know how it goes.

[foobl42]

The "chezmoi age-keygen -y <identity_key_file>" works as expected. Thanks. The "chezmoi age-keygen -o <new_identity_key_file>" also works as expected. Also the plain "chezmoi age-keygen" works also as expected. Thanks!

Note, one possible suggestion would be to update the example at: https://www.chezmoi.io/user-guide/frequently-asked-questions/encryption/#how-do-i-configure-chezmoi-to-encrypt-files-but-only-request-a-passphrase-the-first-time-chezmoi-init-is-run, with the alternative method of using the built-in chezmoi age/age-keygen capability. In that example, you use:

age-keygen | age --armor --passphrase > key.txt.age

I would recommend adding the alternative equivalent example:

chezmoi age-keygen | chezmoi age encrypt --passphrase > key.txt.age

Note however, that in the above example, there is an error condition where it doesn't (at least not for me) prompt for the password (no prompt is printed to stdout). It just waits. You can still type your password twice and the command will complete successfully. The below command works the same, but does display the prompt:

chezmoi age-keygen | chezmoi age encrypt --passphrase --output key.txt.age

[twpayne]

Good idea, done.