agekd

package module

v1.1.1 Latest Latest Go to latest Published: Jan 12, 2026 License: MIT Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/awnumar/agekd

Links

Open Source Insights

README ¶

Age (Deterministic) Key Derivation

AgeKD is a Go library that can be used to derive age identities deterministically from keys or passwords.

See the upstream age documentation for further guidance on working with age identities and recipients.

When would you use this?

You already have key material and want to use it for age operations.
Your execution environment has the capability to generate cryptographically secure keys, but it prevents your program from persisting custom keys.
You want to programmatically derive age identities from passwords.

Installation

Inside your project folder, run:

go get github.com/awnumar/agekd

Usage

To generate an age identity from a high-entropy key:

// Post-quantum secure, based on ML-KEM 768 with X25519 (X-Wing: https://eprint.iacr.org/2024/039)
identity, err := agekd.HybridIdentityFromKey(key, nil)
if err != nil {
    // handle error
}
_ = identity // *age.HybridIdentity

// Not post-quantum secure, based on X25519
identity, err = agekd.X25519IdentityFromKey(key, nil)
if err != nil {
    // handle error
}
_ = identity // *age.X25519Identity

To generate multiple age identities from a single key, specify a salt:

identity, err := agekd.HybridIdentityFromKey(key, []byte("hello"))

To generate an age identity from a password:

identity, err := agekd.HybridIdentityFromPassword(password, nil)

The default Argon2id parameters are:

DefaultArgon2idTime    uint32 = 4
DefaultArgon2idMemory  uint32 = 6291456 // KiB = 6 GiB
DefaultArgon2idThreads uint8  = 8

which takes ~3s per hash on an AMD 5800X3D 8-Core CPU. You can select your own parameters with:

identity, err := agekd.HybridIdentityFromPasswordWithParameters(password, nil, time, memory, threads)

For guidance on Argon2id parameter selection, refer to rfc9106.

Licensing

Unless otherwise specified within a file, this code is distributed under the MIT license.

The bech32 package was copied verbatim from https://github.com/FiloSottile/age/tree/v1.3.1/internal/bech32

Documentation ¶

Index ¶

Constants
func HybridIdentityFromKey(key, salt []byte) (*age.HybridIdentity, error)
func HybridIdentityFromPassword(password, salt []byte) (*age.HybridIdentity, error)
func HybridIdentityFromPasswordWithParameters(password, salt []byte, argon2idTime, argon2idMemory uint32, ...) (*age.HybridIdentity, error)
func X25519IdentityFromKey(key, salt []byte) (*age.X25519Identity, error)
func X25519IdentityFromPassword(password, salt []byte) (*age.X25519Identity, error)
func X25519IdentityFromPasswordWithParameters(password, salt []byte, argon2idTime, argon2idMemory uint32, ...) (*age.X25519Identity, error)

Constants ¶

View Source

const (
	DefaultArgon2idTime    uint32 = 4
	DefaultArgon2idMemory  uint32 = 6291456 // KiB = 6 GiB
	DefaultArgon2idThreads uint8  = 8
)

Variables ¶

This section is empty.

Functions ¶

func HybridIdentityFromKey ¶ added in v1.1.0

func HybridIdentityFromKey(key, salt []byte) (*age.HybridIdentity, error)

HybridIdentityFromKey derives a hybrid age MLKEM768X25519 identity from a high-entropy key. Callers are responsible for ensuring that the provided key is suitably generated, e.g. 32 bytes read from crypto/rand.

func HybridIdentityFromPassword ¶ added in v1.1.0

func HybridIdentityFromPassword(password, salt []byte) (*age.HybridIdentity, error)

HybridIdentityFromPassword derives a hybrid age MLKEM768X25519 identity from a password using Argon2id, with strong default parameters.

func HybridIdentityFromPasswordWithParameters ¶ added in v1.1.0

func HybridIdentityFromPasswordWithParameters(password, salt []byte, argon2idTime, argon2idMemory uint32, argon2idThreads uint8) (*age.HybridIdentity, error)

HybridIdentityFromPasswordWithParameters derives a hybrid age MLKEM768X25519 identity from a password, with custom Argon2id parameters.

func X25519IdentityFromKey ¶

func X25519IdentityFromKey(key, salt []byte) (*age.X25519Identity, error)

X25519IdentityFromKey derives an age X25519 identity from a high-entropy key. Callers are responsible for ensuring that the provided key is suitably generated, e.g. 32 bytes read from crypto/rand.

For post-quantum security, use HybridIdentityFromKey instead.

func X25519IdentityFromPassword ¶

func X25519IdentityFromPassword(password, salt []byte) (*age.X25519Identity, error)

X25519IdentityFromPassword derives an age X25519 identity from a password using Argon2id, with strong default parameters.

For post-quantum security, use HybridIdentityFromPassword instead.

func X25519IdentityFromPasswordWithParameters ¶

func X25519IdentityFromPasswordWithParameters(password, salt []byte, argon2idTime, argon2idMemory uint32, argon2idThreads uint8) (*age.X25519Identity, error)

X25519IdentityFromPasswordWithParameters derives an age X25519 identity from a password, with custom Argon2id parameters.

For post-quantum security, use HybridIdentityFromPasswordWithParameters instead.

Types ¶

This section is empty.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
bech32 Package bech32 is a modified version of the reference implementation of BIP173.	Package bech32 is a modified version of the reference implementation of BIP173.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL