age
chezmoi supports encrypting files with age.
Generate a key using age-keygen
:
$ age-keygen -o $HOME/key.txt
Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
Specify age encryption in your configuration file, being sure to specify at least the identity and one recipient:
encryption = "age"
[age]
identity = "/home/user/key.txt"
recipient = "age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"
chezmoi supports multiple recipients and recipient files, and multiple identities.
Symmetric encryption
To use age's symmetric encryption, specify a single identity and enable symmetric encryption in your config file, for example:
encryption = "age"
[age]
identity = "~/.ssh/id_rsa"
symmetric = true
Symmetric encryption with a passphrase
To use age's symmetric encryption with a passphrase, set age.passphrase
to
true
in your config file, for example:
encryption = "age"
[age]
passphrase = true
You will be prompted for the passphrase whenever you run chezmoi add
--encrypt
and whenever chezmoi needs to decrypt the file, for example when you
run chezmoi apply
, chezmoi diff
, or chezmoi status
.
Builtin age encryption
chezmoi has builtin support for age encryption which is automatically used if
the age
command is not found in $PATH
.
Info
The builtin age encryption does not support passphrases, symmetric encryption, or SSH keys.
Passphrases are not supported because chezmoi needs to decrypt files
regularly, e.g. when running a chezmoi diff
or a chezmoi status
command, not just when running chezmoi apply
. Prompting for a passphrase
each time would quickly become tiresome.
Symmetric encryption may be supported in the future. Please open an issue if you want this.
SSH keys are not supported as the age documentation explicitly recommends not using them:
When integrating age into a new system, it's recommended that you only support X25519 keys, and not SSH keys. The latter are supported for manual encryption operations.