AGEX Bundle Rewrapper

Re-encrypt an AGEX bundle with a new passphrase and fresh Argon2id/XChaCha parameters

This tool is useful for passphrase rotation or ownership handoff. It decrypts the existing AGEX bundle with the current passphrase, then creates a fresh bundle protected by the new passphrase. If you want the new bundle signed, provide a signer ID and private key.

Example Results

1 examples

Rotate the passphrase on an AGEX bundle

Re-encrypt an existing bundle with a new passphrase and fresh bundle parameters

{
  "result": {
    "bundleFormat": "AGEX",
    "version": 1,
    "signatureIncluded": false
  }
}
View input parameters
{ "bundleFile": "/public/processing/example.agex.json", "currentPassphrase": "old-passphrase-123", "newPassphrase": "new-passphrase-456", "strength": "moderate" }

Click to upload file or drag and drop file here

Maximum file size: 100MB Supported formats: application/json, */*

Key Facts

Category
Security & Validation
Input Types
file, text, select, textarea
Output Type
json
Sample Coverage
4
API Ready
Yes

Overview

The AGEX Bundle Rewrapper allows you to securely rotate passphrases or hand over ownership of your AGEX bundles. By decrypting your existing bundle with its current passphrase, the tool generates a fresh bundle encrypted with a new passphrase and updated Argon2id/XChaCha parameters, with optional support for Ed25519 cryptographic signing.

When to Use

  • When you need to perform routine passphrase rotation for security compliance on your AGEX encrypted bundles.
  • When transferring ownership of an encrypted bundle to another team member or external partner.
  • When upgrading the key derivation strength parameters of an existing AGEX bundle.

How It Works

  • Upload the target AGEX bundle file and enter its current decryption passphrase.
  • Specify the new passphrase and select the desired key derivation strength (interactive, moderate, or sensitive).
  • Optionally provide a signer ID and an Ed25519 private key to cryptographically sign the newly generated bundle.
  • Execute the rewrap process to generate and download the newly encrypted AGEX bundle JSON.

Use Cases

Rotating credentials for sensitive configuration files stored in AGEX format.
Handing over encrypted database credentials to a new system administrator.
Re-signing and re-encrypting legacy AGEX bundles with stronger Argon2id parameters.

Examples

1. Routine Passphrase Rotation

Security Administrator
Background
A security administrator needs to rotate the passphrase of a production AGEX configuration bundle every 90 days to comply with company security policies.
Problem
The administrator needs to update the passphrase without exposing the raw contents of the bundle permanently.
How to Use
Upload the existing config.agex.json file, input the current passphrase, enter the new secure passphrase, set the strength to 'sensitive', and run the rewrapper.
Example Config
{
  "strength": "sensitive",
  "currentPassphrase": "old-passphrase-123",
  "newPassphrase": "new-passphrase-456"
}
Outcome
A new AGEX bundle is generated with updated Argon2id parameters and the new passphrase, ready for deployment.

2. Ownership Handoff with Cryptographic Signing

DevOps Engineer
Background
A DevOps engineer is handing over deployment credentials to a client and needs to re-encrypt the bundle with the client's passphrase while signing it with the company's private key.
Problem
The client requires a new passphrase and verification that the bundle originated from the trusted engineer.
How to Use
Upload the bundle file, input the current passphrase, enter the client's new passphrase, and fill in the Signer ID and Ed25519 private key fields.
Example Config
{
  "strength": "moderate",
  "currentPassphrase": "devops-temp-pass",
  "newPassphrase": "client-final-pass",
  "signerId": "devops-team-01",
  "signerPrivateKey": "dGVzdC1wcml2YXRlLWtleS1iYXNlNjQtc3RyaW5nLWV4YW1wbGU="
}
Outcome
The client receives a re-encrypted AGEX bundle containing the verified signature of the DevOps team.

Try with Samples

json, file
Distributed Tracing Samples
Comprehensive distributed tracing examples using Jaeger, OpenTelemetry, and other modern observability tools for microservices architecture
preferred input family json
json
ELK Stack Log Analysis Samples
Comprehensive ELK Stack (Elasticsearch, Logstash, Kibana) samples for log aggregation, processing, and visualization in distributed systems
preferred input family json
json
AWS EventBridge Samples
AWS EventBridge examples including event buses, rules, targets, schema registry, custom events, and cross-account event routing for serverless event-driven architecture
preferred input family json
json
Grafana Advanced Application Samples
Comprehensive Grafana samples covering advanced dashboard design, alerting configurations, data source integrations, and plugin development
preferred input family json
json

Related Hubs

AGEX Secure File Bundle and Handoff Tools
Create encrypted AGEX bundles, inspect metadata, rotate passphrases, verify signatures, redact exposed fields, and prepare safer secure-file handoffs in one focused hub.
JSON Interchange and Format Translation Tools
Compare JSON conversion tools for CSV, YAML, TOML, GraphQL, XML, Markdown, Excel, BSON, EDN, and related structured formats in one hub.
JSON Inspection, Diff, and Transformation Tools
Compare JSON formatting, diffing, path inspection, schema validation, merging, transformation, and export tools in one hub for API and data workflows.
JSON Schema, Mock Data, and API Fixture Generators
Curated tools for JSON schema generation, mock payload building, and API fixture preparation in one hub.

FAQ

Does this tool store my passphrases or decrypted bundle data?

No, all decryption and re-encryption processes occur locally or in memory during execution, and no data is stored.

What encryption algorithms are used during the rewrap?

The tool uses Argon2id for key derivation and XChaCha20-Poly1305 for symmetric encryption.

Can I sign the new bundle during the rewrapping process?

Yes, you can optionally provide a Signer ID and a base64-encoded Ed25519 private key to sign the output bundle.

What do the different strength options mean?

The strength options (interactive, moderate, sensitive) adjust the Argon2id memory and CPU limits used to derive the encryption key.

What file formats does the tool accept?

The tool accepts AGEX bundle files, typically formatted as JSON.

API Documentation

Request Endpoint

POST /en/api/tools/agex-bundle-rewrapper

Request Parameters

Parameter Name Type Required Description
bundleFile file (Upload required) Yes -
currentPassphrase text Yes -
newPassphrase text Yes -
strength select Yes -
signerId text No -
signerPrivateKey textarea No -

File type parameters need to be uploaded first via POST /upload/agex-bundle-rewrapper to get filePath, then pass filePath to the corresponding file field.

Response Format

{
  "key": {...},
  "metadata": {
    "key": "value"
  },
  "error": "Error message (optional)",
  "message": "Notification message (optional)"
}
JSON Data: JSON Data

AI MCP Documentation

Add this tool to your MCP server configuration: 

{
  "mcpServers": {
    "elysiatools-agex-bundle-rewrapper": {
      "name": "agex-bundle-rewrapper",
      "description": "Re-encrypt an AGEX bundle with a new passphrase and fresh Argon2id/XChaCha parameters",
      "baseUrl": "https://elysiatools.com/mcp/sse?toolId=agex-bundle-rewrapper",
      "command": "",
      "args": [],
      "env": {},
      "isActive": true,
      "type": "sse"
    }
  }
}

You can chain multiple tools, e.g.: `https://elysiatools.com/mcp/sse?toolId=png-to-webp,jpg-to-webp,gif-to-webp`, max 20 tools.

Supports URL file links or Base64 encoding for file parameters.

If you encounter any issues, please contact us at [email protected]