Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

The generate-encryption-identity command

zallet generate-encryption-identity generates a new age encryption identity — used to encrypt the wallet’s key material at rest — and writes it to an identity file that zallet init-wallet-encryption can consume. It uses the same age library that Zallet links internally, so no external rage / rage-keygen binary is required.

$ zallet generate-encryption-identity
Public key: age1...

Output location

By default the identity is written to the configured keystore.encryption_identity path (encryption-identity.txt in the data directory, which is ~/.zallet by default). The data directory can be overridden with -d $DIRECTORY, and the output path and file can be specified with -o/--output. Use -o - to write the identity to stdout instead of to a file, which is primarily useful for scripting the setup of ephemeral test environments (regtest, the integration test suite, testnet).

An existing identity file is never overwritten.

WARNING: If a wallet has already been initialized with this identity, deleting or replacing the identity file makes the wallet’s key material PERMANENTLY UNRECOVERABLE. Do not remove it unless you are certain that no wallet depends on it.

NOTE: Non-interactive generation is intended for disposable test environments. A mainnet wallet is not a throwaway container resource: automatically tearing down its key material means irrecoverable loss of funds. Make sure the mnemonics the wallet protects are backed up before relying on it.

Plain vs passphrase-encrypted identities

Without flags, a plain identity file is written, in rage-keygen’s format (a # created: and # public key: comment header followed by the AGE-SECRET-KEY-1... line):

$ zallet -d /path/to/zallet/datadir generate-encryption-identity
Public key: age1...

With -p/--passphrase, the identity is passphrase-encrypted and ASCII-armored. In interactive use you are prompted for the passphrase (with confirmation). In non-interactive contexts (for example, automated test setup), the passphrase is read from the ZALLET_IDENTITY_PASSPHRASE environment variable instead:

$ ZALLET_IDENTITY_PASSPHRASE=... zallet -d /path/to/zallet/datadir generate-encryption-identity -p
Public key: age1...

The environment variable, when set, is read once and is not persisted by Zallet.

Plugins

age plugin identities (e.g. YubiKey, Apple Secure Enclave, OpenPGP card) require the corresponding age plugin binaries and are not generated by this command. See init-wallet-encryption for using plugin identities.