passage
=======

passage is a fork of password-store (https://www.passwordstore.org) that uses
age (https://age-encryption.org) as a backend instead of GnuPG.

Differences from pass
---------------------

The password store is at $HOME/.passage/store by default.

For decryption, the age identities at $HOME/.passage/identities are used with
the -i age CLI option.

For encryption, the nearest .age-recipients file (that is, the one in the same
directory as the secret, or in the closest parent) is used with the -R age CLI
option. If no .age-recipients files are found, the identities file is used with
the -i option.

Extensions are searched at $HOME/.passage/extensions. password-store extensions
that wish to be compatible with passage can switch on the PASSAGE variable.

The init command is not currently available, and moving or copying a secret
always re-encrypts it.

Example: simple set up
----------------------

In this setup, the key is simply saved on disk, which can be useful if the
password store is synced to a location less trusted than the local disk.

    age-keygen >> $HOME/.passage/identities

Example: set up with a password-protected key
---------------------------------------------

This setup allows using the identity file password as the primary password
to unlock the store.

    KEY="$(age-keygen)"
    echo "$KEY" | age -p -a >> $HOME/.passage/identities
    echo "$KEY" | age-keygen -y >> $HOME/.passage/store/.age-recipients

Example: set up with age-plugin-yubikey
---------------------------------------

This setup requires age v1.1.0, or rage (https://github.com/str4d/rage), and
the PIV plugin age-plugin-yubikey (https://github.com/str4d/age-plugin-yubikey).

It's recommended to add more YubiKeys and/or age keys to the .age-recipients
file as recovery options, in case this YubiKey is lost.

    age-plugin-yubikey # run interactive setup
    age-plugin-yubikey --identity >> $HOME/.passage/identities
    age-plugin-yubikey --list >> $HOME/.passage/store/.age-recipients

Integrating with fzf
--------------------

The following script can be invoked with any (or no) passage flags, and
spawns a fuzzy search dialog using fzf (https://github.com/junegunn/fzf)
for selecting the secret.

    #! /usr/bin/env bash
    set -eou pipefail
    PREFIX="${PASSAGE_DIR:-$HOME/.passage/store}"
    FZF_DEFAULT_OPTS=""
    name="$(find "$PREFIX" -type f -name '*.age' | \
      sed -e "s|$PREFIX/||" -e 's|\.age$||' | \
      fzf --height 40% --reverse --no-multi)"
    passage "${@}" "$name"

Migrating from pass
-------------------

    #! /usr/bin/env bash
    set -eou pipefail
    cd "${PASSWORD_STORE_DIR:-$HOME/.password-store}"
    while read -r -d "" passfile; do
      name="${passfile#./}"; name="${name%.gpg}"
      [[ -f "${PASSAGE_DIR:-$HOME/.passage/store}/$name.age" ]] && continue
      pass "$name" | passage insert -m "$name" || { passage rm "$name"; break; }
    done < <(find . -path '*/.git' -prune -o -iname '*.gpg' -print0)

Environment variables
---------------------

  PASSAGE_DIR               Password store location

  PASSAGE_IDENTITIES_FILE   Identities file location

  PASSAGE_AGE               age binary (tested with age and rage)

  PASSAGE_RECIPIENTS_FILE   Override recipients for encryption operations
                            Passed to age with -R

  PASSAGE_RECIPIENTS        Override recipients for encryption operations
                            Space separated, each passed to age with -r

All other environment variables from password-store are respected, such as
PASSWORD_STORE_CLIP_TIME and PASSWORD_STORE_GENERATED_LENGTH.