Documentation
¶
Overview ¶
Package agessh provides age.Identity and age.Recipient implementations of types "ssh-rsa" and "ssh-ed25519", which allow reusing existing SSH keys for encryption with age-encryption.org/v1.
These recipient types should only be used for compatibility with existing keys, and native X25519 keys should be preferred otherwise.
Note that these recipient types are not anonymous: the encrypted message will include a short 32-bit ID of the public key,
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Ed25519Identity ¶
type Ed25519Identity struct {
// contains filtered or unexported fields
}
func NewEd25519Identity ¶
func NewEd25519Identity(key ed25519.PrivateKey) (*Ed25519Identity, error)
func (*Ed25519Identity) Type ¶
func (*Ed25519Identity) Type() string
type Ed25519Recipient ¶
type Ed25519Recipient struct {
// contains filtered or unexported fields
}
func NewEd25519Recipient ¶
func NewEd25519Recipient(pk ssh.PublicKey) (*Ed25519Recipient, error)
func (*Ed25519Recipient) Type ¶
func (*Ed25519Recipient) Type() string
type EncryptedSSHIdentity ¶
type EncryptedSSHIdentity struct {
// contains filtered or unexported fields
}
EncryptedSSHIdentity is an age.IdentityMatcher implementation based on a passphrase encrypted SSH private key.
It provides public key based matching and deferred decryption so the passphrase is only requested if necessary. If the application knows it will unconditionally have to decrypt the private key, it would be simpler to use ssh.ParseRawPrivateKeyWithPassphrase directly and pass the result to NewEd25519Identity or NewRSAIdentity.
func NewEncryptedSSHIdentity ¶
func NewEncryptedSSHIdentity(pubKey ssh.PublicKey, pemBytes []byte, passphrase func() ([]byte, error)) (*EncryptedSSHIdentity, error)
NewEncryptedSSHIdentity returns a new EncryptedSSHIdentity.
pubKey must be the public key associated with the encrypted private key, and it must have type "ssh-ed25519" or "ssh-rsa". For OpenSSH encrypted files it can be extracted from an ssh.PassphraseMissingError, otherwise in can often be found in ".pub" files.
pemBytes must be a valid input to ssh.ParseRawPrivateKeyWithPassphrase. passphrase is a callback that will be invoked by Unwrap when the passphrase is necessary.
func (*EncryptedSSHIdentity) Match ¶
func (i *EncryptedSSHIdentity) Match(block *age.Stanza) error
Match implements age.IdentityMatcher without decrypting the private key, to ensure the passphrase is only obtained if necessary.
func (*EncryptedSSHIdentity) Type ¶
func (i *EncryptedSSHIdentity) Type() string
Type returns the type of the underlying private key, "ssh-ed25519" or "ssh-rsa".
func (*EncryptedSSHIdentity) Unwrap ¶
func (i *EncryptedSSHIdentity) Unwrap(block *age.Stanza) (fileKey []byte, err error)
Unwrap implements age.Identity. If the private key is still encrypted, it will request the passphrase. The decrypted private key will be cached after the first successful invocation.
type RSAIdentity ¶
type RSAIdentity struct {
// contains filtered or unexported fields
}
func NewRSAIdentity ¶
func NewRSAIdentity(key *rsa.PrivateKey) (*RSAIdentity, error)
func (*RSAIdentity) Type ¶
func (*RSAIdentity) Type() string
type RSARecipient ¶
type RSARecipient struct {
// contains filtered or unexported fields
}
func NewRSARecipient ¶
func NewRSARecipient(pk ssh.PublicKey) (*RSARecipient, error)
func (*RSARecipient) Type ¶
func (*RSARecipient) Type() string
Source Files