-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] How do I use this to encrypt/decrypt agenix secrets with a Yubikey age key? #10
Comments
I'm not entirely sure whether I understand your question. What do you mean with "natively decrypt"? The way agenix-rekey works is the following:
I believe this would be a solution to the issue you linked, although you will probably run into issues when using multiple yubikeys. I'm not sure what the benefit of using multiple yubikeys would be here, since you will require all yubikeys anyways when rekeying secrets. |
Ah my bad, I should've clarified this part more. What I meant was agenix doesn't actually support decrypting secrets with Yubikey-based age keys at all; since agenix expects you to have identity files (which are generated when you create the age keys on the computer; this case isn't true for age keys that's made on the Yubikey).
I want to be able to use the Yubikey when I'm building my NixOS config like in the second case you described
I wouldn't actually be using multiple seperate Yubikeys per say, more like different age keys that's generated on the same Yubikey (and having an actual backup Yubikey that I can fallback to in case the main one gets damaged somehow). 🤔 I'm unsure how the backup Yubikey would work though since like you said, I would have to have both Yubikeys in the system in order to rekey the secrets |
Ah I see. This utility replaces the need for the original agenix command and ours works differently. If you run
Then this project should work for you, this is exactly what it was made for :)
Adding a backup key is easy, I've included an option called I still don't understand why you'd want to use different age identities in different slots on the same yubikey though. Technically nothing prevents you from specifying multiple Although there are some usability caveats to specifying multiple master identities: If you add multiple master identities, age-plugin-yubikey will always try to decrypt the given file with the first identity. Only when you actively press skip, it will try the next one. There is no autodetection that would automatically select the correct yubikey based on which key is plugged in. |
Perfect! I'm going to start getting the config all set for it and give it a go. Thank you!
This more is just a proposed idea, in case I ever want to add multiple users. This more came from how this repo implements secrets with sops-nix. But thinking about it again, just sticking with one master identity like you said would be simpler to manage |
Hey quick question, so I started adding agenix to my config but I got a couple of questions:
And trying to include it as a package to install like below but I get a "missing pkgs" error
flake.nix
|
There is no module for HM currently, but nothing prevents you from using the secrets defined on the underlying nixos host in home manager. So deploying a pure HM config without an underlying nixos is currently not possible.
It doesn't assume you are using flake-utils. The example just uses it, but you are free to not use it. There is nothing dependent on it in there, it's just syntactical sugar. I would also advise against adding it to your system packages, since you want to make sure to use the agenix-rekey utility from the same version as the one in your flake. Otherwise you will run into issues where your system utility is one or more versions behind the rest of the code pulled in by your flake. So always add it to your devshell, and only use it from there to make sure the What you are missing in your setup is adding it to your overlays (see code example in Installation section), so for given your code you want to add the following:
|
I'm closing this since I believe the original question was answered. If you need anything else, let me know. |
Hey I'm wondering if it possible to use this to circumvent this issue where it's not possible to natively decrypt agenix secrets with a age key that lives on a Yubikey. I basically want to have one key that decrypts the secrets for my users and each key will be for that specific user (since I have one atm, it will just be that one key in the flake). The goal is to allow my flake to encrypt new secrets to my flake and then allow me to decrypt them whenever I need to say for instance, reinstall NixOS onto my computer.
The text was updated successfully, but these errors were encountered: