Would it be possible to use an Age key that lives on a Yubikey via age-plugin-yubikey?

Mic92 / sops-nix

Atomic secret provisioning for NixOS based on sops

MIT License

1.33k stars 133 forks source link

Would it be possible to use an Age key that lives on a Yubikey via age-plugin-yubikey? #377

Open solomon-b opened 10 months ago

solomon-b commented 10 months ago

I know you can do this with GPG but it would be really awesome if I could use Age instead.

Mic92 commented 10 months ago

This is blocked on https://github.com/getsops/sops/issues/1103

nyabinary commented 9 months ago

Bummer :<

Mic92 commented 8 months ago

Now we got: https://github.com/getsops/sops/pull/1335 that unlocks tpm and yubikey plugins for age.

solomon-b commented 8 months ago

Oh very cool. Will you need to do work on sops-nix or will it just work once its merged into sops?

Mic92 commented 8 months ago

It should just work (TM). Maybe we need some environment (PATH?) variable for sops-install-secrets so age plugins are discovered? But this shouldn't take long to implement.

nyabinary commented 8 months ago

It should just work (TM). Maybe we need some environment (PATH?) variable for sops-install-secrets so age plugins are discovered? But this shouldn't take long to implement.

Documentation and a guide would also be appreciated

Kranzes commented 7 months ago

If you know a bit of Go and got a bit of sanity left in you, please help out with https://github.com/getsops/sops/pull/1335. I didn't write any of the code there, it was @Mic92.

mannp commented 3 months ago

I was keen to give this a try with the yubikey-support branch :) but wasn't sure if it was at a beta stage? :)

Mic92 commented 1 month ago

@mannp I will probably switch to use https://github.com/olastor/age-plugin-fido2-hmac instead, because than we can use other security keys beyond just yubikeys.

mannp commented 1 month ago

@mannp I will probably switch to use https://github.com/olastor/age-plugin-fido2-hmac instead, because than we can use other security keys beyond just yubikeys.

Having choice over sec keys sounds like a good plan, and thanks for the update :)

NovaViper commented 3 weeks ago

Hey @Mic92 Is it yet possible to use the age keys generated on Yubikeys yet? I currently use GPG to encrypt my secrets but when I use nixos-install, the setupSecretsForUsers script in sops-nix completely ignores my GPG keys and forcibly tries to use the host ssh age keys (which aren't generated on the mounted disks I'm installing onto); completely interrupting the installation process and not activating my flake on the install at all; therefore the only real way I can see possibly fixing the issue is by using age keys from the Yubikey and have sops-nix use those instead of the host ssh keys.