Skip to content

Docs: example workflow for storing age identities in a password manager (Bitwarden / 1Password / etc.) #722

Description

@chirag127

@

Version

age v1.3.1.

Problem

A common real-world setup is to keep the age identity (AGE-SECRET-KEY-1...) inside a password-manager vault (Bitwarden, 1Password, KeePassXC, pass) rather than on disk. This is the recommended approach for anyone using age to encrypt secrets in a git repo (sops+age, git-crypt-alike workflows, .env.enc patterns), because the identity file itself must not be checked in and putting it in the vault gives you cross-device sync + backup + audit trail for free.

There is no documentation of this pattern anywhere in the age README, wiki, or man page, so every team reinvents it — usually by copy-pasting the key into a "secure note" and then hand-rolling a shell one-liner to pipe it into age -d -i -.

Suggestion

Add a short "Storing identities" section (README or a docs/ page) covering the two common shapes:

  1. Ephemeral pipe from the vault — retrieve the secret from the manager CLI and pipe it in as -i -:
    # Bitwarden
    bw get notes age-identity | age -d -i - secret.age
    
    # 1Password
    op read "op://Personal/age/identity" | age -d -i - secret.age
    
    # pass
    pass show age/identity | age -d -i - secret.age
  2. Materialise to a temp file for tools (like sops) that require a real path — mktemp, write, chmod 600, use, shred/rm on exit. Show the trap-based cleanup pattern.

Both patterns work today with the existing -i - support; this is purely a documentation ask, no code change.

Why this is worth adding

  • Reduces the "put the age key in a synced folder" foot-gun (see companion issue about Windows key locations).
  • Gives sops+age users a citable pattern instead of folk knowledge.
  • Costs the project nothing to maintain — the CLI already supports -i -.

Happy to open a docs PR if the maintainers are receptive.
@

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions