Open techhazard opened 1 year ago
When looking at the part of the tutorial to convert an existing
~/.ssh/id_ed25519
private key into an age key, this requires removing the password from a temporary copy and using that to create~/.config/sops/age/keys.txt
. This makes me have a few questions:
There is now another way that does not require a private copy: https://github.com/Mic92/ssh-to-age#usage However also with this method your key will still be unencrypted in the end in keys.txt.
if you don't want to your ssh key to be stored decrypted, just create another age key normally. There is also a way to use gpg instead of age instead to avoid this problem at the price for more complexity.
In keys.txt a plaintext private key?
Yes. Improvements to the existing documentation are welcome.
Is it possible to derive my original ssh private key from this file?
It's possible but sops does not do it. we have implemented that in ssh-to-age: https://github.com/Mic92/ssh-to-age#usage
Why are encrypted keys not supported?
It's sops not supporting this. As soon as they support it, it's just a matter of updating documentation in this project.
Thanks for the answers :smile:
Is it possible to derive my original ssh private key from this file?
I meant to ask if someone who has the keys.txt
(with the plain text age key) can recreate the SSH private key key that is related to it? How are they related, cryptographically? Is it the exact same key in a different format, or is it a derivation of it?.
Same key, different format
When looking at the part of the tutorial to convert an existing
~/.ssh/id_ed25519
private key into an age key, this requires removing the password from a temporary copy and using that to create~/.config/sops/age/keys.txt
. This makes me have a few questions:In keys.txt a plaintext private key?
Does this mean that the private key used for the sops ~encryption~ decryption is stored in plaintext? I don't think this is explicitly stated as such in the guide, it might be a good idea to make that clear.
Is it possible to derive my original ssh private key from this file?
How is de age key derived from
id_ed25519
?Why are encrypted keys not supported?
Age itself seems to support it: https://github.com/FiloSottile/age#passphrase-protected-key-files
It looks like an upstream limit? https://github.com/mozilla/sops#encrypting-using-age
But support seems to be coming: https://github.com/mozilla/sops/pull/1134