Support for ssh-keys with passphrases

[bbigras]

If I run agenix -e secret1.age and hit CTRL+C when it's asking for my passphrase. Then if I try to type stuff in my prompt, I don't see what I type.

[bbigras@desktop:~/nix-config]$ agenix -e secret1.age
Type passphrase for OpenSSH key '/home/bbigras/.ssh/id_ed25519':

Maybe it's a problem with the askpass thing or whatever.

Feel free to rename the issue's title.

[ryantm]

That's cool that it is asking for your password is working at all! In my past experience it doesn't work at all. I guess Rage has support for it. This may be an upstream bug with Rage, have to look into it more.

[ryantm]

Post about why SSH key passwords might not be so useful: https://groups.google.com/g/age-dev/c/Xe6zW4haGx8/m/m_jYh7YTAgAJ

[bbigras]

That's cool that it is asking for your password is working at all! In my past experience it doesn't work at all. I guess Rage has support for it. This may be an upstream bug with Rage, have to look into it more.

One weird thing I that it doesn't work on the first try. Maybe it's trying to decrypt every key or something. I was using 2 for my test.

Post about why SSH key passwords might not be so useful

I'm not sure passphrase protected ssh keys will stop being the norm anytime soon.

[ryantm]

Oh, I'm remembering better now. It wasn't that it doesn't support asking for the password, the problem is it doesn't support the ssh-agent, so it ask for the password EVERY time. So, say you rekey 20 secrets, it asks you for the password 20 times.

[ryantm]

I added a notice warning people about password-protected ssh keys not working well https://github.com/ryantm/agenix#notices

Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.

[ryantm]

I confirmed that I have the same problem with echoing mentioned in the top post.

[edrex]

the problem is it doesn't support the ssh-agent, so it ask for the password EVERY time

Status for discoverability: rage has a plugin interface but ssh-agent doesn't expose the raw key, so an age-aware agent would need to be written (or existing agent extended) str4d/rage#160 (comment)

[XenGi]

I can confirm, that the repeated asking for the password of your ssh key comes from rage and is not a problem with nixage. You can switch to the original age implementation which doesn't suffer from this issue: https://github.com/ryantm/agenix#overriding-age-binary

You will still get asked for the password for every operation on age files but at least only once. So if you only want to edit one single file you only get asked once which is fine.

For rekeying this is still annoying but at least it works correctly. Teaching age how to use the ssh agent for key retrieval would be a nice feature but has to be requested with the age or rage project and not with nixage I guess.

[brainrake]

Actually if you need to rekey 20 secrets with 5 keys, you will have to enter your password 100 times.

[brainrake]

For reference, here is the author's reasoning:
https://groups.google.com/g/age-dev/c/Xe6zW4haGx8/m/m_jYh7YTAgAJ
FiloSottile/age#7

[gabyx]

I am wondering how passphrase protected SSH keys can work when the agenix.service is running oneshot to symlink all secrets. I tried that and the service died because there is no prompt where I can enter the ssh key. So would that then work automatically if age would support an agent? Is the agent like the ssh-agent only there to have the private keys unlocked ?