Switching from GPG to age

It’s been several years since I went through all the trouble of setting up my own GPG keys and securing them in YubiKeys following drduh’s guide. With that approach, you generate one key securely offline and store it on multiple YubiKeys, along with a backup.

It has worked well for me for years, and as the Lindy effect suggests, it would almost certainly continue to.

But as my sub-keys were nearing expiration, I was faced with either renewing (more convenient, no forward secrecy) or rotating them (rather painful, but potentially more secure). However, I’ve realized that I essentially only use these keys for encryption, and almost never for signing. So, instead of doing either of the usual options, I’m going to let my keys expire entirely.

I’m now experimenting with age, which touts itself as “simple, modern, and secure encryption”. If needed, I will use minisign for signatures.

Workflow changes

This required changing a couple of things in my typical workflow.

Password manager

First, and foremost, I needed to switch from pass to passage, a fork of pass that uses age as the backend. This was actually surprisingly easy because passage includes a simple bash script to do the migration.

#! /usr/bin/env bash
set -eou pipefail
cd "${PASSWORD_STORE_DIR:-$HOME/.password-store}"
while read -r -d "" passfile; do
  name="${passfile#./}"; name="${name%.gpg}"
  [[ -f "${PASSAGE_DIR:-$HOME/.passage/store}/$name.age" ]] && continue
  pass "$name" | passage insert -m "$name" || { passage rm "$name"; break; }
done < <(find . -path '*/.git' -prune -o -iname '*.gpg' -print0)

There is no installer for passage, and no Arch packages. But it’s easy enough to install because it’s just a shell script you can throw on your $PATH. Note that for Arch, I also needed to install tree, which it assumes you have.

I also name passage as pass on my machine.

The benefit of this is everything that had pass integration has continued to “just work”. For example, aerc, my email client of choice, behaved exactly the same after the migration.

No more gpg-agent

I would occasionally use gpg-agent as my SSH agent on my machines. It was convenient. However, I also like the idea of having a dedicated SSH key per machine. It makes monitoring their usage and revoking them much finer-grained.

The absence of gpg-agent forced me to set up new keys on all my machines and add them to various servers/services.

Benefits of the age approach

Easy encryption with chezmoi

While I was tending to the encryption area of my personal tech “garden”, I also started leveraging chezmoi’s encryption features. I already use chezmoi for my configuration files, but with encryption, I could also easily add “secrets” to my public dotfiles repo. In my case so far, this just means my copies of my favorite paid font: Berkeley Mono.

chezmoi also has a nice guide for configuring chezmoi to encrypt while asking for a passphrase only once for age.

Easy YubiKey configuration

I was also very pleasantly surprised with how easy it was to switch to age! Last time I set up the GPG keys on my YubiKeys, I spent several hours.

This time, with the help of age-plugin-yubikey and embracing the idea of having unique keys on each YubiKey, but encrypting everything for multiple recipients, setting up my keys was surprisingly trivial. It also generates the keys securely on the hardware key itself, which is nice. The whole process probably took 30 minutes. It was so easy that in the future, I’m very much not intimidated by the thought of rotating keys.

Thoughts

Did I need to switch to age? Of course not.

However, over my career, I repeatedly find that exploring new tools for your core workflows (part of investing in interfaces) is just plain fun. I often learn new ways of thinking about problems. Sometimes, you walk away with a new default that brings some fresh ideas and some delight to your life. Other times, you walk away with your trusty old tool, with greater appreciation for its history and the hard-earned approach it has established. For my uses at the moment, age definitely falls into the former camp.

Tip

This post made it to Hacker News. See the thread for some additional discussion.

Posts from blogs I follow

Kaizen #4: Overhauled homelab

I started this “blog-series” to force myself to write more about my set up, and my continuous iterations. But it didn’t happen… until today! This post has been a long time coming, and I have kept the ideas in my head and notes. I will walk through everythi…

via Tim Hårek July 05, 2026

Better Models: Worse Tools

Better Models: Worse Tools Armin reports on a weird problem he ran into while hacking on Pi: The short version is that newer Claude models sometimes call Pi’s edit tool with extra, invented fields in the nested edits[] array. And not Haiku or some small m…

via Simon Willison's Weblog July 04, 2026

Verizon is About to Break our Watches

Two years ago I bought a pair of Gizmo watches for my kids ( review). There's a companion app for texting and configuration ("Gizmohub"), and Verizon is moving everyone over to a new one ("Verizon Family"). But the new app doesn't work for watch-only acco…

via Jeff Kaufman's Writing July 04, 2026

Generated by openring-rs from my blogroll.