Skip to content

ThomasBrierley/agepad

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README
README
 
 
agepad
agepad
 
 

Repository files navigation

AGEPAD(1)                   General Commands Manual                   AGEPAD(1)

NAME
       agepad - age encrypted, survivable shared secrets

SYNOPSIS
       agepad <command> [NAME] [VALUE]

DESCRIPTION
       agepad  encrypts  and  decrypts  secrets  to and from any git repo using
       age(1) file encryption. This thin layer on top of  age  allows  multiple
       users  with  different  passphrases to manage the same set of shared se‐
       crets.

       It's a fully self-contained secret store,  depending  only  on  material
       stored in the repo. No separate private keys, no external services. Each
       user only needs their brain and a copy of the repo to retrieve a secret.

       This  was  made  for  backup  and distribution of infrastructure secrets
       among small groups of trusted users, who prioritise  secret  survivabil‐
       ity,  operational  simplicity  and  independence  over advanced KMS fea‐
       tures... In other words, I'm paranoid about losing encryption keys.  The
       primary  concerns  this  tool  addresses are secret loss due to external
       points of failure, and secret exposure due to file based credential har‐
       vesting attacks.

COMMANDS
       register [NAME]
              New users run this command to add themselves to a repo.  It  cre‐
              ates  a passphrase encrypted user access key. This alone does not
              grant access, but prints a RECIPIENT key  for  requesting  autho‐
              rization.

       authorize [NAME] [RECIPIENT]
              Existing  users  run  this  command to authorize a new registered
              user. It creates an encrypted copy of the  master  key  with  the
              provided  RECIPIENT key, granting full access to all existing and
              future secrets.

       add [NAME]
              Add a secret to the repo. (requests interactive login).

       remove [NAME]
              Remove a secret from the repo. (requests interactive login).

       show [NAME]
              Print a secret to stdout. (requests interactive login).

              For convenience NAME can also be a file path to gain shell  auto‐
              completion e.g. ./agepad show .agepad/foo.secret.key

       copy [NAME]
              Copy a secret to clipboard. (requests interactive login).

              For  convenience NAME can also be a file path to gain shell auto‐
              completion e.g. ./agepad copy .agepad/foo.secret.key

EXAMPLES
       agepad can be added to any git repo. It will only modify and commit con‐
       tent under .agepad/ relative to the script location.

       Copy and commit the agepad script to a repo, then run the register  com‐
       mand  to  initialise the store with the first user. This first user will
       be automatically authorized with a newly generated master key:

            ./agepad register

       Secrets can then be added:

            ./agepad add foo

       And retrieved:

            ./agepad show foo

       Additional users can be added in a two step process. The new user clones
       the repo and runs the register command:

            ./agepad register

       This prints a RECIPIENT key to be sent to an existing user,  who  enters
       it when running the authorize command:

            ./agepad authorize

       All  write commands i.e. register, authorize and add, automatically com‐
       mit and push changes if an upstream branch is  detected,  and  automati‐
       cally rollback in case there is a conflict when pushing.

PASSPHRASE SECURITY
       TL;DR use reasonably strong passphrases - brute-force resistance is only
       useful for passphrases that cannot be guessed.

       Unlike  many git based password managers, agepad stores user access keys
       along side secrets in order to achieve maximum 'survivability'. One dis‐
       advantage of this approach is that brute force resistance depends on the
       strength of each user's passphrase and the PBKDF used to encrypt the ac‐
       cess keys.

       agepad uses age(1) for all encryption which employs the Scrypt PBKDF for
       passphrase encryption. Scrypt is a modern KDF that is considered one  of
       the most resistant to GPU and ASIC brute forcing - however this does not
       protect  against  weak passphrases that are guessable via dictionary at‐
       tacks. To benefit from Scrypt, passphrases must be strong enough to  ac‐
       tually require brute forcing.

       Arguably  this  is no weaker in practice, compared to separately storing
       access keys in home directories, given the rise of file based credential
       harvesting attacks that effectively remove this separation. And signifi‐
       cantly stronger than solutions that do not encrypt access keys at all or
       use the weak PBKDF2.

SEE ALSO
       age(1), age-keygen(1)

AGEPAD 1.0.0                      January 2026                        AGEPAD(1)

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages