@
Version
age v1.3.1.
Problem
A common real-world setup is to keep the age identity (AGE-SECRET-KEY-1...) inside a password-manager vault (Bitwarden, 1Password, KeePassXC, pass) rather than on disk. This is the recommended approach for anyone using age to encrypt secrets in a git repo (sops+age, git-crypt-alike workflows, .env.enc patterns), because the identity file itself must not be checked in and putting it in the vault gives you cross-device sync + backup + audit trail for free.
There is no documentation of this pattern anywhere in the age README, wiki, or man page, so every team reinvents it — usually by copy-pasting the key into a "secure note" and then hand-rolling a shell one-liner to pipe it into age -d -i -.
Suggestion
Add a short "Storing identities" section (README or a docs/ page) covering the two common shapes:
- Ephemeral pipe from the vault — retrieve the secret from the manager CLI and pipe it in as
-i -:
# Bitwarden
bw get notes age-identity | age -d -i - secret.age
# 1Password
op read "op://Personal/age/identity" | age -d -i - secret.age
# pass
pass show age/identity | age -d -i - secret.age
- Materialise to a temp file for tools (like sops) that require a real path —
mktemp, write, chmod 600, use, shred/rm on exit. Show the trap-based cleanup pattern.
Both patterns work today with the existing -i - support; this is purely a documentation ask, no code change.
Why this is worth adding
- Reduces the "put the age key in a synced folder" foot-gun (see companion issue about Windows key locations).
- Gives sops+age users a citable pattern instead of folk knowledge.
- Costs the project nothing to maintain — the CLI already supports
-i -.
Happy to open a docs PR if the maintainers are receptive.
@
@
Version
age v1.3.1.
Problem
A common real-world setup is to keep the age identity (
AGE-SECRET-KEY-1...) inside a password-manager vault (Bitwarden, 1Password, KeePassXC, pass) rather than on disk. This is the recommended approach for anyone using age to encrypt secrets in a git repo (sops+age, git-crypt-alike workflows,.env.encpatterns), because the identity file itself must not be checked in and putting it in the vault gives you cross-device sync + backup + audit trail for free.There is no documentation of this pattern anywhere in the age README, wiki, or man page, so every team reinvents it — usually by copy-pasting the key into a "secure note" and then hand-rolling a shell one-liner to pipe it into
age -d -i -.Suggestion
Add a short "Storing identities" section (README or a
docs/page) covering the two common shapes:-i -:mktemp, write,chmod 600, use,shred/rmon exit. Show the trap-based cleanup pattern.Both patterns work today with the existing
-i -support; this is purely a documentation ask, no code change.Why this is worth adding
-i -.Happy to open a docs PR if the maintainers are receptive.
@