Age (Deterministic) Key Derivation

AgeKD is a Go library that can be used to derive age X25519 identities deterministically from keys or passwords.

This package does not provide a CLI. If you need that functionality, check out age-keygen-deterministic.

See the upstream age documentation for further guidance on working with age identities and recipients.

This package is currently pre-v1 and is therefore subject to breaking changes.

When would you use this?

• You already have key material and want to use it for age operations.
• Your execution environment has the capability to generate cryptographically secure keys, but it prevents your program from persisting custom keys (such as a Kubernetes pod using Hashicorp Vault).
• You want to programmatically derive age identities from passwords.

Installation

Inside your project folder, run:

go get github.com/awnumar/agekd

Usage

To generate an age identity from a high-entropy key:

identity, err := agekd.X25519IdentityFromKey(key, nil)
if err != nil {
    // handle error
}
_ = identity // *age.X25519Identity

To generate multiple age identities from a single key, specify a salt:

identity, err := agekd.X25519IdentityFromKey(key, []byte("hello"))

To generate an age identity from a password:

identity, err := agekd.X25519IdentityFromPassword(password, nil)

The default Argon2id parameters are:

DefaultArgon2idTime    uint32 = 4
DefaultArgon2idMemory  uint32 = 6291456 // KiB = 6 GiB
DefaultArgon2idThreads uint8  = 8

which takes ~3s per hash on an AMD 5800X3D 8-Core CPU. You can select your own parameters with:

identity, err := agekd.X25519IdentityFromPasswordWithParameters(password, nil, time, memory, threads)

For guidance on Argon2id parameter selection, refer to rfc9106.

Licensing

Unless otherwise specified within a file, this code is distributed under the MIT license.

The bech32 package was copied verbatim from https://github.com/FiloSottile/age/tree/v1.2.0/internal/bech32