search

oddlama / agenix-rekey

An agenix extension adding secret generation and automatic rekeying using a YubiKey or master-identity
MIT License
197 stars 16 forks source link

added ".hmac" to the good suffix list #36

Closed Arbel-arad closed 1 month ago

Arbel-arad commented 1 month ago

i use agenix and agenix-rekey with the age-plugin-fido2-hmac and age-plugin-tpm plugins which both produce files pointing to the hardware keystore. this setup works, but i have been getting warnings because my files had a .hmac suffix and i don't want to rename all of them, so i added this to the suffix list. it might also be good to add documentation about options other than yubikeys because there are many other FIDO2 devices that are completely compatible.

oddlama commented 1 month ago

Sounds good, thank you! Can you elaborate a bit on what is needed exactly to make other FIDO keys work? Then I'd be happy to append the documentation accordingly

Arbel-arad commented 1 month ago

to use generic FIDO2 with the age plugin you need a key that supports the hmac-secret extension (can be checked with fido2-token -I) install and add the plugin to the agePlugins list. then run age-plugin-fido2-hmac -g to generate the credentials. i have it set to not require a pin because my keys have a fingerprint scanner, but it should work either way. when it asks you if you want a separate identity file pick yes, and it will print the recipient address and keygrip. from what i can tell the keygrip functions exactly the same as a normal private key when your device is connected and working, otherwise it will prompt you to insert the key and hang until you do:

Please insert your token now. Waiting for age-plugin-fido2-hmac... Please touch your token...

then you set the identity as normal (excuse my backwards import) { identity = ../../secrets/atkey.pro-a1.hmac; pubkey = "age123456"; }

for the final part i'm not sure if it is required, but you may need to set the ageBin path. i copied it from someone else and only changed the package names ageBin = "PATH=$PATH:${lib.makeBinPath [pkgs.age-plugin-fido2-hmac pkgs.age-plugin-tpm]} ${pkgs.rage}/bin/rage";

about using a TPM, i plan to write a generator for it so every new host is configured automatically but that will take a while. for manual use it is configured the same as FIDO.

oddlama commented 1 month ago

Thanks for the writeup! I've added the instructions to the readme.

for the final part i'm not sure if it is required, but you may need to set the ageBin path

I think this path should be set automatically based on the configured agePlugins at any point where agenix-rekey calls age/rage. So this shouldn't be required, otherwise I'd say that's a bug :D