-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve UX for multiple split masterIdentities
#28
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the detailed explanation! I've already looked through your additions and the new script but I don't think I have anything to add at this point. This is looking pretty great already!
I guess you can just copy some parts of your PR description and put it in as documentation. All that's needed is probably a mention of the environment variable and an update to the masterIdentities
option description to point out how it works now. For any more details I'd say you can just link to this PR.
I'm not sure which additional warnings you'd fancy? I'd definitely be fine with what you already have.
Thanks again!
I was originally considering warnings that indicate a "potentially degraded" user experience, e.g. a warning if a Yubikey identity does not have an associated pubkey. However I think now that a proper explanation in the manual/readme is required anyways and will be sufficient. No need to create additional complexity where there doesn't have to be. So if you are happy with the current state, I will only add the remaining documentation and leave the PR otherwise as is. |
- document new age.rekey.masterIdentities syntax - document AGENIX_REKEY_PRIMARY_IDENTITY environment variable
I have now expanded the README and hope the explanations are clear enough so that people know what is possible, what to do and where to look. Minor remarks:
|
Looks good, thanks.
I'll probably switch to mdbook rendered documentation at some point, then it will hopefully be more readable.
Good idea! I think this is good to now, thanks again for all your work! |
Happy to contribute, thank you for your openness towards my suggestions and for the constructive discussion and feedback :D |
Fixes #24.
Changes
First, the implementation introduces a new syntax for specifying identities in
age.rekey.masterIdentities
:The old syntax continues to be supported through automatic coercion into the new format. If
pubkey
is specified, it will be used to encrypt files, instead of trying to extract a pubkey from the identity file.Second, the implementation may extract an "implicit" pubkey from the identity file to use instead of the identity itself. This will only happen if the following conditions are met:
pubkey
using the above syntax.AGE-PLUGIN-YUBIKEY-<...>
.Recipient: age1yubikey1<pubkey>
.Every identity file that does not match all of the above criteria will be passed to (r)age without further processing, in order to let the program itself deal with the identity at runtime.
Third, the implementation adds support for the new environment variable
AGENIX_REKEY_PRIMARY_IDENTITY
, which is used during decryption. If set to a pubkey, agenix-rekey will attempt to locate the key amongst the explicitly and implicitly specified pubkeys:Implementation
I ended up writing a wrapper script for (r)age in
./nix/lib.nix
that is shared between for the encrypt and decrypt phases and decides what phase to run based on the first argument it receives. The remaining arguments are directly passed to (r)age. Warnings are deferred to stderr in order to not mess with generators that use thedecrypt
command in a piping fashion, e.g.:Testing
The current code can successfully handle the following
flake.nix
. See the comments next to the differentmasterIdentities
andage.secrets
for further details:AGENIX_REKEY_PRIMARY_IDENTITY
set to pubkey of Yubikey Bagenix edit
:testkeypass.key
during encryption.agenix generate -f
:testkeypass.key
for each generated secret during encryption.agenix rekey -f
:AGENIX_REKEY_PRIMARY_IDENTITY
unsetagenix edit
:testkeypass.key
during encryption.agenix generate -f
:testkeypass.key
for each generated secret during encryption.agenix rekey -f
:AGENIX_REKEY_PRIMARY_IDENTITY
set to invalid pubkeyBehavior is the same as if unset. The following warning is printed at least once for every one of the three operations:
TODO