13 comments

[ 2.4 ms ] story [ 40.0 ms ] thread
I wrote a similar wrapper around Rage+Yubikeys called pass [1], even before I knew passage existed. The fzf integration in your page is beautiful, I'll implement it in pass next.

[1] https://github.com/mihaigalos/pass

This is an interesting way to do password management. But I definitely wouldn't describe this as "simple" or "minimal". You're using passage, Syncthing, restic, git, physical Yubikey, SD card, and don't have great support for mobile.
Do the contents of a qr code get logged anywhere on iOS even if you don't search?
If you are not careful with QR codes, ios will search your secret in Google automatically!
I love Age and have been a fan since the early releases. The fact I can encrypt a backup against a SSH public key and just push it in a non trusted cloud is so damn convenient.

I know it would also work with openssl public key cryptography but openssl is always a hassle to work with.

I might move from my (very-similar) Yubikey/pass setup[1] (with touch-to-decrypt) to this, GPG isn't exactly fun to use. The one difference I have is I keep some non-critical passwords synced to mobile vya pass-for-ios, with a separate key. The app now supports yubikeys, but I haven't gotten around to setting it up properly yet.

[1]: https://captnemo.in/blog/2020/01/04/security-setup/

Why non-critical ones? iPad and iPhone are probably more secure than desktops.
No Yubikey support meant it used a GPG key saved on disk with a passphrase, which went against my "only-hardware-encryption" plan. For non-critical passwords, I didn't mind it, but plan to keep all passwords here once I switch to yubikey on the app.
I think this solutions provides a measure of protections.

I am not so sure these protections would stay intact given the anti-cryptographic device malwares that are floating around, being used to attack various nation-states.

Perhaps the very bespoke nature of it would make it less of a common target?

Do you have a link to these anti cryptographic device malware floating around?
what about passwords that you have to type on websites? this solution does not protect you against phishing at all, right? (i mean, it does not help you with making sure the password is entered on the correct website)
No, but the author doesn't make that claim either.
For mobile, there is a Pass app. It syncs from an accessible git server.

Maybe they add support for Age.