Support for age recipients file

[chris3ware]

I wondered if being able to encrypt a file with multiple age public keys (recipients) could be done by using the age recipients file as well as passing multiple comma separated keys?

This can be achieved natively with age by passing the -R, --recipients-file PATH argument.

[alxndr13]

doesn't seem to work with version: 3.8.1

always uses the first key in the recipients file. This would come in really handy when working in a team.

[wesbragagt]

I would love to have that working. I'm interested in taking a look and see if I can draft a PR.

[chriscarpenter12]

I too was looking to use sops/age for our team, but setting all the possible public keys in a SOPS_AGE_RECIPIENTS for every team member seems awkward when age support the recipients-file we can put in a repo to share.

[felixfontein]

@chriscarpenter12 why not simply put them in .sops.yaml and store that in the root of the repo that should contain the SOPS encrypted files?

[chriscarpenter12]

Is there an example of all the options in the .sops.yaml file? I didn’t see an example of what you’re describing. I’m new to sops and it seemed the age config was through env vars from the readme.

[felixfontein]

Here's a small example:

creation_rules:
    - age: >-
        age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw,
        age129h70qwx39k7h5x6l9hg566nwm53527zvamre8vep9e3plsm44uqgy8gla,
        age129h70qwx39k7h5x6l9hg56qxcxfaqycuprpmy89nr83ltx74tqdpszlw

(A more complex one: https://github.com/getsops/sops?tab=readme-ov-file#using-sopsyaml-conf-to-select-kms-pgp-and-age-for-new-files)