Using Age to Publicly Post Sensitive Data

Written by Paco Pascal, on 11 June 2022.
Tags: #unix #linux #gpg #age #cryptography

1. The Problem

Recently, I had an issue where I was working on a set of remote servers and needed to copy files between different servers. Some of the servers were sandboxes that could've been infected by malicious software; therefore, I didn't want to leak any information in the sandboxes about any production servers or credentials.

My first instinct was to post to pastebin. But I wanted to encrypt the data before posting. Using GnuPG in the sandboxes was problematic. This is where Age provided a convenient solution.

2. The Solution

On a production machine, we can easily create a temporary Age key by doing, 

age-keygen -o key.txt

which gives the following output, 

Public key: age15v5xqysc8g7spuzdyk0v5q90m609ruaecwnlv2x67zv5xqnju4esp2tz3j

Instead of using, pastebin for posting, we'll use https://0x0.st/ which doesn't require an API key. On the insecure server, do the following, 

age --encrypt -r age15v5xqysc8g7spuzdyk0v5q90m609ruaecwnlv2x67zv5xqnju4esp2tz3j -a /path/to/private/file | curl -F 'file=@-' https://0x0.st/

which will output a URL, such as 

https://0x0.st/oM5X.txt

Now we can download this file and decrypt it in a safe location. 

curl -s https://0x0.st/oM5X.txt | age --decrypt -i key.txt -o secret_file.txt

3. Solution Simplification

We can make this process smoother by writing two scripts. An upload script such as, 

#!/bin/sh

RECIPIENTS=${RECIPIENTS:-"$@"}

if [ -z "$RECIPIENTS" ]; then
    echo "Usage: $0 [recipient public key]..."
    exit 1
fi

for r in $RECIPIENTS; do
    AGEFLAGS="${AGEFLAGS} -r ${r}"
done

age $AGEFLAGS -a | curl -F 'file=@-' https://0x0.st/

and a download script such as, 

#!/bin/sh

URL=$1
AGEKEY=${2:-key.txt}

if [ -z $URL ]; then
    echo "Usage: $0 url [age key file]"
    exit 1
fi

curl -s $URL | age --decrypt -i ${AGEKEY}

Now if we have two age keys, key-1.txt (age1dwj4jcfp9wfpslrj4gnws5y5llzetdzu0cpndtr96fr3htlgdvusk6w8tg) and key-2.txt (age1xqz970tzhklqp0qyz9x3c3yur3jd65urasmwer0thzc4k6y6qftq7sc2zw), we can upload an encrypted file for both keys by doing, 

echo secret text | ./age-post.sh \
  age1dwj4jcfp9wfpslrj4gnws5y5llzetdzu0cpndtr96fr3htlgdvusk6w8tg \
  age1xqz970tzhklqp0qyz9x3c3yur3jd65urasmwer0thzc4k6y6qftq7sc2zw

and download the same content for each key, 

1: $ ./age-pull.sh https://0x0.st/oM5_.txt key-1.txt
2: secret text
3: $ ./age-pull.sh https://0x0.st/oM5_.txt key-2.txt
4: secret text