In the previous article, I set up disposable containers to test my chezmoi dotfiles. That works, but there’s still too much manual effort involved — especially the SSH key. Every new container means copying it in by hand.
So I decided to encrypt the SSH key with age and store it directly in the dotfiles repo. Chezmoi supports age-based decryption out of the box, which makes this a natural fit. On top of that, I want future tool installations — zsh, tmux, neovim — to be handled automatically too, not typed in manually every time.
But before any of that could happen, I needed age itself. And that turned out to be less straightforward than expected.
Why Post-Quantum Matters#
When it comes to encryption, quantum computing is the elephant in the room. Quantum computers will eventually be able to break many of the cryptographic algorithms we rely on today. The smart move is to start using post-quantum secure keys now, so that data encrypted today can’t be decrypted by a quantum computer tomorrow.
Luckily, age supports this. By passing the -pq flag when generating a key, age creates a post-quantum secure key pair. Simple enough — so let’s start by installing age.
The Problem: Outdated Packages#
The obvious first step:
sudo apt install ageThen create a post-quantum key:
age-keygen -pq -o my-new-age-key.txtUnfortunately, this doesn’t work:
marcus@devvm ~ % age-keygen -pq -o my-new-age-key.txt
flag provided but not defined: -pqThe -pq flag isn’t recognized. Let’s check the installed version:
marcus@devvm ~ % age-keygen --version
1.1.1There it is. The apt package manager ships version 1.1.1, which predates post-quantum support entirely. At the time of writing, the latest release is v1.3.1.
The Fix: Installing age From the Binary Release#
First, let’s remove the outdated version:
sudo apt remove ageThen download and install the latest release directly from GitHub:
AGE_VERSION="1.3.1"
cd /tmp
curl -LO "https://github.com/FiloSottile/age/releases/download/v${AGE_VERSION}/age-v${AGE_VERSION}-linux-amd64.tar.gz"
tar xzf "age-v${AGE_VERSION}-linux-amd64.tar.gz"
sudo mv age/age age/age-keygen /usr/local/bin/
rm -rf age "age-v${AGE_VERSION}-linux-amd64.tar.gz"
cd -Let’s verify:
marcus@devvm ~ % age-keygen --version
v1.3.1Now let’s try that post-quantum key again:
marcus@devvm ~ % age-keygen -pq -o my-new-age-key-with-pq.txt
Public key: age1pq197gewjr6cswan...xpgettdwpThere we go. The key is significantly longer than a classic age key — that’s the post-quantum cryptography at work.
Where to Store the Key#
One more thing to figure out: where should this key live?
I’ve been using age before in the context of SOPS, where the key sits at ~/.config/sops/age/key.txt. But this new key isn’t just for SOPS — it’s for chezmoi too, and potentially other tools down the line.
Since I’m a solo developer, not a team, it makes sense to keep things simple and use a single key for multiple purposes. I can always split into separate keys later if needed.
I settled on ~/.config/age/key.txt as the canonical location, and point each tool to it explicitly.
For SOPS, that means setting an environment variable:
export SOPS_AGE_KEY_FILE="$HOME/.config/age/key.txt"For chezmoi, I specify the key location in chezmoi.toml:
encryption = "age"
[age]
identity = "~/.config/age/key.txt"
recipient = "age1pq1..."This way, both tools use the same key with explicit configuration. If I ever need separate keys for different purposes, I can split them out and give each file a meaningful name like dotfiles-key.txt.
What’s Next#
This is a good example of how one thing leads to another. All I wanted was to encrypt my SSH key and have chezmoi decrypt it automatically. I’m not there yet — the age setup alone turned into its own adventure. But with a working post-quantum age installation and a clear place for the key, I’m ready to wire it all up with chezmoi in the next post.
