Replace the pty-based age passphrase approach (which hung in non-tty
contexts) with a two-layer scheme: age-keygen generates a fresh key pair,
age encrypts the .1pux with the public key (non-interactive), then openssl
encrypts the age private key with the 1Password credentials passed via
fd (never exposed in env vars or ps output).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Encrypts a .1pux export from the 1Password desktop app with age using the
master password + secret key as the passphrase, then SCPs to indri where
borgmatic picks it up. Provides double encryption (age + borg repokey) and
recovery requires only the Emergency Kit from the safety deposit box.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
