Skip to content

Latest commit

 

History

History
91 lines (57 loc) · 3.8 KB

README.md

File metadata and controls

91 lines (57 loc) · 3.8 KB

Ledger application for age encryption/decryption

Encrypt/decrypt files by using age and a public/private key stored on a Ledger device.

This app is used to manage age identity on a Ledger device.

Validation on the Nano before sending the decryption key

Installing the app

Ledger Live App catalog

A version of this app for Nano S Plus and Nano X is available on Ledger Live. To install it:

  • Open Ledger Live

  • Since the app is still in pre-release, you need to enable Developer mode and manually choose the right app provider.

    • Go to Settings
    • Enable Developer mode
    • Under My Ledger provider, choose 4

    Ledger Live setting

  • With your device plugged in: go to My Ledger, search in the app catalog for age identity and install it.

Local building and installing

You can also compile this app locally by executing cargo ledger build <device> (with <device> being either nanosplus or nanox).

Additionally, you can load the app to your device by using Cargo Ledger. Please note that loading this app on a device without using Ledger Live is only available for Nano S Plus and requires the ledgerctl Python tool.

To do so, just execute: cargo ledger build nanosplus --load.

Requirements

To use this app, you need first to:

Usage

There are four basic usage (illustrated here by using rage client and a Nano S Plus).

Encryption

Retrieving the recipient associated with the age identity

A recipient string containing public data needs to be provided in order to perform encryption.

To retrieve the recipient associated to a Ledger device, call the ledger plugin with the --list option.

➜ age-plugin-ledger --list
age1ledger1qtrtrlkyewan5wcl75zetx6wy9j8vrw4kvy388ew0estmcgcj6wsw9sle8v

Validation on the Nano before sending the recipient

Encrypting for a Ledger recipient

To encrypt, just use your age client as you would for any other type of recipient.

➜ rage -r age1ledger1qtrtrlkyewan5wcl75zetx6wy9j8vrw4kvy388ew0estmcgcj6wsw9sle8v -e example -o example.age

Note that this step can be done without having any Ledger device, but still requires the Ledger plugin for age.

Decryption

Retrieving the identity stub

In order to decrypt a file, age clients require to provide an identity (that usually contains the private data associated with a recipient). The Ledger plugin for age uses a "stub" identity which does not contain any private data. It is used to identify the device holding the private material needed to decrypt for a given recipient.

To retrieve a stub identity associated with a Ledger device, call the ledger plugin with the --identity option.

➜ age-plugin-ledger --identity | tee id
Recipient: age1ledger1qtrtrlkyewan5wcl75zetx6wy9j8vrw4kvy388ew0estmcgcj6wsw9sle8v
#    Recipient: age1ledger1qtrtrlkyewan5wcl75zetx6wy9j8vrw4kvy388ew0estmcgcj6wsw9sle8v
AGE-PLUGIN-LEDGER-1WH90T6PD06QN907ADRARJTDMR20K7K8HQQVY8RX7PSVGS5P3Q7PQLHDJXV 

Decrypting with a Ledger stub identity

To decrypt, just use your age client as you would for any other type of identity.

➜ rage -d -i id -o example_decrypted example.age

Validation on the Nano before sending the decryption key