Open solomon-b opened 10 months ago
This is blocked on https://github.com/getsops/sops/issues/1103
Bummer :<
Now we got: https://github.com/getsops/sops/pull/1335 that unlocks tpm and yubikey plugins for age.
Oh very cool. Will you need to do work on sops-nix
or will it just work once its merged into sops
?
It should just work (TM). Maybe we need some environment (PATH?) variable for sops-install-secrets so age plugins are discovered? But this shouldn't take long to implement.
It should just work (TM). Maybe we need some environment (PATH?) variable for sops-install-secrets so age plugins are discovered? But this shouldn't take long to implement.
Documentation and a guide would also be appreciated
If you know a bit of Go and got a bit of sanity left in you, please help out with https://github.com/getsops/sops/pull/1335. I didn't write any of the code there, it was @Mic92.
I was keen to give this a try with the yubikey-support branch :) but wasn't sure if it was at a beta stage? :)
@mannp I will probably switch to use https://github.com/olastor/age-plugin-fido2-hmac instead, because than we can use other security keys beyond just yubikeys.
@mannp I will probably switch to use https://github.com/olastor/age-plugin-fido2-hmac instead, because than we can use other security keys beyond just yubikeys.
Having choice over sec keys sounds like a good plan, and thanks for the update :)
Hey @Mic92 Is it yet possible to use the age keys generated on Yubikeys yet? I currently use GPG to encrypt my secrets but when I use nixos-install
, the setupSecretsForUsers
script in sops-nix completely ignores my GPG keys and forcibly tries to use the host ssh age keys (which aren't generated on the mounted disks I'm installing onto); completely interrupting the installation process and not activating my flake on the install at all; therefore the only real way I can see possibly fixing the issue is by using age keys from the Yubikey and have sops-nix use those instead of the host ssh keys.
I know you can do this with GPG but it would be really awesome if I could use Age instead.