Support passing standard ssh keys to age encryption

offen · Feb 6, 2025 · 4380767 · 4380767
1 parent 2375607
commit 4380767
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 3 deletions.
diff --git a/cmd/backup/encrypt_archive.go b/cmd/backup/encrypt_archive.go
@@ -10,8 +10,10 @@ import (
 	"io"
 	"os"
 	"path"
+	"strings"
 
 	"filippo.io/age"
+	"filippo.io/age/agessh"
 	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	openpgp "github.com/ProtonMail/go-crypto/openpgp/v2"
 	"github.com/offen/docker-volume-backup/internal/errwrap"
@@ -73,7 +75,7 @@ func (s *script) getConfiguredAgeRecipients() ([]age.Recipient, error) {
 	recipients := []age.Recipient{}
 	if len(s.c.AgePublicKeys) > 0 {
 		for _, pk := range s.c.AgePublicKeys {
-			pkr, err := age.ParseX25519Recipient(pk)
+			pkr, err := parseAgeRecipient(pk)
 			if err != nil {
 				return nil, errwrap.Wrap(err, "failed to parse age public key")
 			}
@@ -94,6 +96,18 @@ func (s *script) getConfiguredAgeRecipients() ([]age.Recipient, error) {
 	return recipients, nil
 }
 
+func parseAgeRecipient(arg string) (age.Recipient, error) {
+	// This logic is adapted from what the age CLI is doing
+	// stripping some special cases
+	switch {
+	case strings.HasPrefix(arg, "age1"):
+		return age.ParseX25519Recipient(arg)
+	case strings.HasPrefix(arg, "ssh-"):
+		return agessh.ParseRecipient(arg)
+	}
+	return nil, fmt.Errorf("unknown recipient type: %q", arg)
+}
+
 func (s *script) encryptWithAge(rec []age.Recipient) error {
 	return s.doEncrypt("age", func(ciphertextWriter io.Writer) (io.WriteCloser, error) {
 		return age.Encrypt(ciphertextWriter, rec...)

diff --git a/docs/reference/index.md b/docs/reference/index.md
@@ -358,8 +358,8 @@ You can populate below template according to your requirements and use it as you
 # AGE_PASSPHRASE="<xxx>"
 
 # Backups can be encrypted asymmetrically using age in case publickeys are given.
-# Multiple keys need to be provided as a comma separated list. Right now, this only
-# support passing age keys, with no support for ssh keys.
+# Multiple keys need to be provided as a comma separated list. Right now, this
+# supports `age` and `ssh` keys
 
 # AGE_PUBLIC_KEYS="<xxx>"
 

diff --git a/go.mod b/go.mod
@@ -27,6 +27,7 @@ require (
 )
 
 require (
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/containerd/log v0.1.0 // indirect

diff --git a/go.sum b/go.sum
@@ -35,6 +35,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
 filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 h1:g0EZJwz7xkXQiZAI5xi9f3WWFYBlX1CPTrR+NDToRkQ=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0/go.mod h1:XCW7KnZet0Opnr7HccfUw1PLc4CjHqpcaxW8DHklNkQ=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 h1:1mvYtZfWQAnwNah/C+Z+Jb9rQH95LPE2vlmMuWAHJk8=