UX: Try passphrase on multiple identities

[ElvishJerricco]

What were you trying to do

Decrypt a file in a script without knowing who will be entering the passphrase.

What happened

age does not support trying multiple identities when decrypting a file. E.G. a file was encrypted with --recipients-file <(cat alice.pub bob.pub). A script that runs automatically on boot uses age -d -i alice.priv -i bob.priv. It might be either Alice or Bob who is present to enter the passphrase for their private key; the system does not know which. It should try the passphrase on both private keys so that decryption will succeed no matter which one of them is present.

[FiloSottile]

Hmm, I am a bit confused, because currently age doesn't support passphrase encrypted private key files, it only supports passphrase encrypted files. If it asks for a passphrase, it's the passphrase of the file, not of the key. If it uses one of the keys, it won't ask for a passphrase.

Can you elaborate or maybe post an example sequence? Thank you!

[ElvishJerricco]

Sorry, I had not noticed this was moved to discussion. Age does appear to support passphrase-encrypted ssh private key files, though age keys don't have this feature.

$ ssh-keygen -f alice -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
$ ssh-keygen -f bob -t ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
$ age --recipients-file <(cat alice.pub bob.pub) payload -o payload.age
$ age -d -i ./alice -i ./bob payload.age
Enter passphrase for "./alice":

So it'd be nice to try the passphrase on both the alice and bob keys.