I think you might be mixing up public and private keys - you need the public key to encrypt, the private key to decrypt. A private key only needs to be present when you are decrypting the existing values. When you are editing or creating secrets, you will need access to at least one private key. Every private key has a corresponding public key, which must be "added" in secrets.nix to have "access" to a secret. A yubikey is just one thing you use, you can use a private key you control with a passphrase for example, instead. As long as the corresponding public key has "access" in secrets.nix to the secret. When it comes to machines, the SSH private key should only ever be present on the machine where the SSH key is being used for SSH, but agenix can also use this as a private key for decrypting secrets. So if you store the public key of a machine which needs access to a secret in the secrets.nix file and give it "access" to a secret, agenix, when running on that destination NixOS machine can decrypt the secrets from the Nix store and then store the decrypted secret as a file under /run which is typically a memory-only filesystem (so they don't persist and need to be decrypted each reboot).

Putting all of this together, if you have a personal private key for admin purposes (i.e., adding and editing secrets), you would give the corresponding public key access to the secrets so the public key is used to encrypt the value. The public keys of any machines (i.e the SSH public key, which ssh-keyscan gives you) are also added as public keys and used for encryption for the secret. Only the machines and users with access to the private key for any of those identities however can actually decrypt the secret. Does that make more sense?

rane [they/them]: thanks so much for your explanations, I think I'm starting to understand. I'm kind of a visual learner, so I diagrammed out my current setup here. Maybe that will shed light on where my misunderstanding lies.

A private key only needs to be present when you are decrypting the existing values

But what public key does this private key correspond to? One of the public keys defined and assigned to the secret in secrets.nix? Or one of the original keys in identityPaths that encrypted the secret?

A yubikey is just one thing you use

So I would have a public key entry in secrets.nix for the YubiKey just as I would for a host?

So if you store the public key of a machine which needs access to a secret in the secrets.nix file and give it "access" to a secret, agenix,

I think I have this part, because when I get a new host (non-server), I generate a new keypair on that machine and add the pubkey to secrets.nix. I then add that key as a target in secrets.nix. (for the secrets defined in user_secrets.nix)? But obviously I'm missing something when trying to rekey my secrets for the new machine, because the operation does not generate new files.

Hello, heres a simple question that I've had a hard time finding an answer to:

is there a way to have a subfolder within secrets/?

I prefer subfoldering--category/secret_name.age--over appending--category.secret_name.age

In reply to @saik3617:matrix.org

Hello, heres a simple question that I've had a hard time finding an answer to:

is there a way to have a subfolder within secrets/?

I prefer subfoldering--category/secret_name.age--over appending--category.secret_name.age