BIP-39 mnemonics for age identities

[FiloSottile]

An age identity is 256 bits, so it fits in a BIP-39 24 words mnemonic unmodified. We could add a mode to age-keygen like -y, or make a separate tool.

[ChristopherA]

If you are going to support using BIP-39 mnemonics (which I think is a good idea), don't use them directly — either choose a register a new BIP-32 derivation and derive a 256 bit key using it from the mnemonics. This way if you are protecting your seed offline (mine is on titanium in a safe place), you are risking reuse of the seed for encryption with other uses (I don't have time to have a bunch of titanium offline keys).

Take a look at seedtool-cli and keytool-cli for some command line tools that specialize in careful management of entropy seeds and deriving key derivations from them. We even have offline hardware for deriving keys from seeds in LetheKit and an iOS app Gordian Seed Tool that supports airgapped crypto-request to derive a key safely from a seed.

[FiloSottile]

@ChristopherA That would be nice, but it wouldn't support converting an existing key to a mnemonic, which I expect will be a somewhat common use case. You can still easily write a tool (or better, add support to a tool you already use!) to generate an age identity from a seed mnemonic.

Let me know if I can help adding support to existing tools. If you need a label, you can use age-encryption.org/v1.

[ChristopherA]

I do not recommend that you should support or recommend converting existing age keys to a BIP39 mnemonic — I believe this to be a bad security practice, as seeds should be solely used to derive keys, not used as keys themselves.

At minimum you should derive a key from the seed by using a pbdkf function with a constant (some good reviewed code for this is in bc-crypto-base, or use a well-vetted BIP32 library (we use lib-wally-core and register a BIP32 derivation path at SLIP-44 with age as a the coin type. BIP32 has the advantage of supporting the ability in the future to have simple revocation or rotation case keys, as you can use key index 0 by default, and rotate to key index 1+ later.

The reason for not using seeds as keys is to avoid collision and reuse with other keys derived from that seed. We've found that most people can only afford the time to properly backup one seed, thus asking people to store lots of seeds is risky. Fortunately there are lots of options to help backup BIP39 mnemonics and derive keys from them safely out there because of the cryptocurrency world.

I don't have a problem for better support of converting a BIP-32 mnemonic based seed to a age key — other than registering the BIP32 coin type, command line is trivial using seedtool-cli and keytool-cli, and there is lots of reliable code out there for doing the same (c, go, rust, javascript, etc.)

@FiloSottile — are you up for submitting a PR to reserve/register a number for age to the SLIP-44 repo? I can then write an example script for you to convert a BIP39 mnemonic to an age key. With that as a proof of concept would be relatively trivial to then have some write a micro-python plugin for age for integration with secure hardware tools like the Trezor, or Airgapped security devices. You don't need to be a cryptocurrency user to leverage their hardware.

[bbjubjub2494]

I have just written a tool for this and proposed a SLIP-44 number. Open to any feedback ofc.