Closed Lukas-C closed 3 months ago
I was originally considering warnings that indicate a "potentially degraded" user experience, e.g. a warning if a Yubikey identity does not have an associated pubkey. However I think now that a proper explanation in the manual/readme is required anyways and will be sufficient. No need to create additional complexity where there doesn't have to be.
So if you are happy with the current state, I will only add the remaining documentation and leave the PR otherwise as is.
I have now expanded the README and hope the explanations are clear enough so that people know what is possible, what to do and where to look.
Minor remarks:
masterIdentities
type signature, since readability otherwise would have suffered even more. Instead I made due with a link to the actual lines of code. At the moment it points to the location where the corresponding lines should end up after the merge, so we should probably update this to a proper permalink afterwards.I have now expanded the README and hope the explanations are clear enough so that people know what is possible, what to do and where to look.
Looks good, thanks.
Minor remarks:
* I had to omit some of the details of the new `masterIdentities` type signature, since readability otherwise would have suffered even more. Instead I made due with a link to the actual lines of code. At the moment it points to the location where the corresponding lines should end up after the merge, so we should probably update this to a proper permalink afterwards.
I'll probably switch to mdbook rendered documentation at some point, then it will hopefully be more readable.
* I added a separate section for the new environment variable (and potential future ones). Since we're somehow still missing a terminal prompt emoji in the Unicode standard, I made due with a keyboard (⌨) as the section logo.
Good idea!
I think this is good to now, thanks again for all your work!
Happy to contribute, thank you for your openness towards my suggestions and for the constructive discussion and feedback :D
Fixes #24.
Changes
First, the implementation introduces a new syntax for specifying identities in
age.rekey.masterIdentities
:The old syntax continues to be supported through automatic coercion into the new format. If
pubkey
is specified, it will be used to encrypt files, instead of trying to extract a pubkey from the identity file.Second, the implementation may extract an "implicit" pubkey from the identity file to use instead of the identity itself. This will only happen if the following conditions are met:
pubkey
using the above syntax.AGE-PLUGIN-YUBIKEY-<...>
.Recipient: age1yubikey1<pubkey>
.Every identity file that does not match all of the above criteria will be passed to (r)age without further processing, in order to let the program itself deal with the identity at runtime.
Third, the implementation adds support for the new environment variable
AGENIX_REKEY_PRIMARY_IDENTITY
, which is used during decryption. If set to a pubkey, agenix-rekey will attempt to locate the key amongst the explicitly and implicitly specified pubkeys:Implementation
I ended up writing a wrapper script for (r)age in
./nix/lib.nix
that is shared between for the encrypt and decrypt phases and decides what phase to run based on the first argument it receives. The remaining arguments are directly passed to (r)age. Warnings are deferred to stderr in order to not mess with generators that use thedecrypt
command in a piping fashion, e.g.:Testing
The current code can successfully handle the following
flake.nix
. See the comments next to the differentmasterIdentities
andage.secrets
for further details:AGENIX_REKEY_PRIMARY_IDENTITY
set to pubkey of Yubikey Bagenix edit
: 1) Prompts for Yubikey B PIN for decryption. 2) Prompts fortestkeypass.key
during encryption.agenix generate -f
: 1) Prompts once for Yubikey B PIN for decryption. The PIN is only prompted for once. 2) Prompts fortestkeypass.key
for each generated secret during encryption.agenix rekey -f
: 1) Prompts once for specified Yubikey for decryption. The PIN is only prompted for once.AGENIX_REKEY_PRIMARY_IDENTITY
unsetagenix edit
: 1) Prompts for Yubikey A PIN for decryption. Prompts for Yubikey B PIN if the first is skipped and (r)age does not fail. 2) Prompts fortestkeypass.key
during encryption.agenix generate -f
: 1) Prompts for Yubikey A PIN for decryption. Prompts for Yubikey B PIN if the first is skipped and (r)age does not fail. Will prompt for PIN of Yubikey B every time Yubikey A is skipped. 2) Prompts fortestkeypass.key
for each generated secret during encryption.agenix rekey -f
: 1) Prompts for Yubikey A PIN for decryption. Prompts for Yubikey B PIN if the first is skipped and (r)age does not fail. Will prompt for PIN of Yubikey B every time Yubikey A is skipped.AGENIX_REKEY_PRIMARY_IDENTITY
set to invalid pubkeyBehavior is the same as if unset. The following warning is printed at least once for every one of the three operations:
TODO