-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decrypting with multiple identities #178
Comments
The underlying issue is the interactive prompt generated when the plugin fails to find the YubiKey for the identity it is attempting to use. i.e.
I would have voiced my desire for this prompt to be made optional, with the alternative being automatically skip an indentoity if the YubiKey it is associated to is not present. However, I think doing so would cause another issue whereby the PIN would be required for each decryption (at least for all but the first key in the identity file). I imagine the issue arises from an attempt to access a key that is not present closing the existing session on the present key (see also). |
The UX issue you are encountering is a side-effect of a UX decision made in the age clients. In the distant past, some age clients (naming no names but However, this had a significant UX problem in that the order in which identities were tried was non-deterministic, and could not be predicted by the user. So back in 2021 we decided to make What this means is, when you call:
what you are telling What this fundamentally boils down to is two conflicting user desires:
Now, there might be UX tricks we could pull to mitigate this somewhat. But as long as age clients treat |
One such UX trick would be to define an "OR" identity. That is, in addition to the current The workflow would be something like:
Having sketched out the above, I'm not sure about whether this added UX and implementation complexity is worth the flexibility it brings. Thoughts @FiloSottile? |
I'd prefer this as well, as I have one Yubikey always plugged in my PC at home, and another one on my keychain which I use on my laptop. I'd like to use try the one on my keychain first, if that one isn't plugged in, it'd be great if it could automatically check the other Yubikey. |
@Tiebe a plain reading of your use case would suggest it can be handled with the existing client and plugin UX, by expressing your preferences thusly:
However, I think what you intended to say is (emphasis added):
which is a somewhat unusual use case: if there's a Yubikey always plugged in, why decrypt with the keychain Yubikey first? (The answer is likely "the file is only encrypted to the keychain Yubikey", which per above can be solved by always encrypting to both, but let's assume that isn't done here.) If you explicitly use |
Couldn't age/rage call |
This comment was marked as resolved.
This comment was marked as resolved.
@mntn-xyz The PR you reference (and the vars you describe) only relates to Passage plugins. It has no impact on age plugins. |
@remko Thanks, I misunderstood the PR and thought it could help solve this issue. I see now that it's a problem in other plugins as well and it's not a problem with passage at all. |
Hello,
Thanks for this plugin!
My scenario is:
age-plugin-yubikey --list-all
)age-plugin-yubikey --identity
)For this, I am using https://github.com/ryantm/agenix and I realized it does the following:
The problem is:
If I have the yubikey with
<identity-1>
plugged in, it works, but if I have the one with<identity-2>
it does not.Executing the above command manually brings up a popup to choose between skipping the yubikey or inserting it and trying it again, so I got this error:
If I change the order to (still: yubikey with
<identity-2>
is plugged in), it works:Could this be handled to make the decryption successful if any of the provided identities are ok? Am I missing something?
The text was updated successfully, but these errors were encountered: