Decrypting with multiple identities

[kukovecz]

Hello,

Thanks for this plugin!

My scenario is:

• I am encrypting a secret with 2 recipients (returned by age-plugin-yubikey --list-all)
• I would like it to be decryptable by either one of the identities (returned by age-plugin-yubikey --identity)

For this, I am using https://github.com/ryantm/agenix and I realized it does the following:

age --decrypt -i <identity-1> -i <identity-2> FILE

The problem is:
If I have the yubikey with <identity-1> plugged in, it works, but if I have the one with <identity-2> it does not.
Executing the above command manually brings up a popup to choose between skipping the yubikey or inserting it and trying it again, so I got this error:

age: warning: could not read value for age-plugin-yubikey: standard input is not a terminal, and /dev/tty is not available: open /dev/tty: no such device or address
age: error: yubikey plugin: Could not open YubiKey with serial <serial>

If I change the order to (still: yubikey with <identity-2> is plugged in), it works:

age --decrypt -i <identity-2> -i <identity-1> FILE

Could this be handled to make the decryption successful if any of the provided identities are ok? Am I missing something?

[DanNixon]

The underlying issue is the interactive prompt generated when the plugin fails to find the YubiKey for the identity it is attempting to use.

i.e.

Please insert YubiKey with serial xxxxxxxx (press [1] for "YubiKey is plugged in" or [2] for "Skip this YubiKey")

I would have voiced my desire for this prompt to be made optional, with the alternative being automatically skip an indentoity if the YubiKey it is associated to is not present.

However, I think doing so would cause another issue whereby the PIN would be required for each decryption (at least for all but the first key in the identity file). I imagine the issue arises from an attempt to access a key that is not present closing the existing session on the present key (see also).