chezmoi supports encrypting files with age.
Generate a key using
$ age-keygen -o $HOME/key.txt Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
Specify age encryption in your configuration file, being sure to specify at least the identity and one recipient:
encryption = "age" [age] identity = "/home/user/key.txt" recipient = "age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"
chezmoi supports multiple recipients and recipient files, and multiple identities.
To use age's symmetric encryption, specify a single identity and enable symmetric encryption in your config file, for example:
encryption = "age" [age] identity = "~/.ssh/id_rsa" symmetric = true
Symmetric encryption with a passphrase
To use age's symmetric encryption with a passphrase, set
true in your config file, for example:
encryption = "age" [age] passphrase = true
You will be prompted for the passphrase whenever you run
--encrypt and whenever chezmoi needs to decrypt the file, for example when you
chezmoi diff, or
Builtin age encryption
chezmoi has builtin support for age encryption which is automatically used if
age command is not found in
The builtin age encryption does not support passphrases, symmetric encryption, or SSH keys.
Passphrases are not supported because chezmoi needs to decrypt files
regularly, e.g. when running a
chezmoi diff or a
command, not just when running
chezmoi apply. Prompting for a passphrase
each time would quickly become tiresome.
Symmetric encryption may be supported in the future. Please open an issue if you want this.
SSH keys are not supported as the age documentation explicitly recommends not using them:
When integrating age into a new system, it's recommended that you only support X25519 keys, and not SSH keys. The latter are supported for manual encryption operations.