#openpgp-card #openpgp #ed25519-key #age #encryption #yubi-key

app age-plugin-openpgp-card

Age plugin for using ed25519 on OpenPGP Card devices (Yubikeys, Nitrokeys)

1 unstable release

0.1.0 Apr 16, 2024

#1501 in Cryptography

Apache-2.0 OR MIT

235 lines

Age Plugin: OpenPGP Card

This age plugin allows you to reuse your OpenPGP Card devices (such as Yubikeys or Nitrokeys) for age decryption.

Why? OpenPGP Card, contrary to its name, is just a generic cryptographic device but most importantly the spec and the real-world devices (e.g. Yubikeys) in the wild support ed25519.

If you don't need ed25519 age-plugin-yubikey provides a more polished experience.

This plugin assumes that you have already provisioned the card. oct admin generate may be used to provision the card with a new ed25519 key.


Running the tool directly outputs public keys and identity stubs for all connected cards:

$ age-plugin-openpgp-card | tee identity.txt
# Card ident 0006:15422467
# age1dkfzfyk58yvkf07n32nygkyuqxtnq2am427sy79gjkh6krf96frsucn0me

Note that the public key looks like a regular age ed25519 key. The stub encodes the card identifier and is mostly irrelevant.

Any age-compatible tool can be used for encryption:

$ echo I like strawberries | rage -r age1dkfzfyk58yvkf07n32nygkyuqxtnq2am427sy79gjkh6krf96frsucn0me -a > encrypted.age

And the identity stubs are required for decryption:

$ rage -d -i identity.txt < encrypted.age
I like strawberries

The plugin will ask you for the PIN using built-in plugin protocol (this would usually show a pin-entry prompt).


This project is licensed under either of:

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this crate by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.


~261K SLoC