rane [they/them]: thanks for the reply. I think I get the gist of what you're saying. Currently I have things divided up between "user" and "system" secrets,

so a system secret is decrypted by a host SSH key and is used for a system service like a running docker container, etc. This is mostly "done" because I'm only deploying to one host for now.

Whereas a user secret is decrypted by a user-generated SSH key. Passwords to email clients, etc. This has been working great but now that I am re-using the same user config on another machine, I need to rekey.

I added that new user-generated public key to my secrets.nix, and added the new user as a target recipient to one of the secrets, and ran agenix -i /path/to/priv/key/that/originally/encrypted/everything --rekey and for each secret, it simply said that it "<secret_name> wasn't created". Verbose mode didn't reveal much. What am I missing? Do I need to add the key for the new machine as an IdentityPath as well in order to rekey?

I think the main reason is that I was scouring for any examples of how people have set up agenix and I found that the pattern was pretty common, people will have a list like users = [user1 user2 user3] and then allow an arbitrary secret to be accessed by users, and the same goes for system.

It made sense to me because logically it makes sense that system secrets are:

• Decrepted by host SSH key
• used in NixOS config to manage services

whereas user keys are

• decrypted by user SSH key
• used by Home-Manager to configure user applications.

I think my end goal with this setup was to have something akin to what you have, where I have a single source of truth like a Yubikey and then all secrets can decrypt off that. I'm just not quite sure how to achieve this, as you can see I'm having difficulty with the simple task of adding an additional key that can decrypt secrets lol

My intention is to make setup/maintenance of systems as seamless as possible, and getting the secrets to work is currently a huge pain point.

I treat all my secrets the same, with the exception of how they are used and which machines need access to them.

So this is done within your secret config? I need to implement something like this, because even though I don't have the secrets "assigned" to a host, it still tries to decrypt them during system rebuild and makes the build output "fail".

Do you happen to have a public configuration I can look at? Or would you be so kind as to look over my configuration and give me some pointers? https://github.com/GideonWolfe/nix/tree/main/configs/secrets

I'd like to work towards a setup like you have where

• I have a single key that I can keep on a yubikey that decrypts ALL secrets (does this have to be in every boot?)
• it is easy to add new systems/hosts/users to my config

I think you might be mixing up public and private keys - you need the public key to encrypt, the private key to decrypt. A private key only needs to be present when you are decrypting the existing values. When you are editing or creating secrets, you will need access to at least one private key. Every private key has a corresponding public key, which must be "added" in secrets.nix to have "access" to a secret. A yubikey is just one thing you use, you can use a private key you control with a passphrase for example, instead. As long as the corresponding public key has "access" in secrets.nix to the secret. When it comes to machines, the SSH private key should only ever be present on the machine where the SSH key is being used for SSH, but agenix can also use this as a private key for decrypting secrets. So if you store the public key of a machine which needs access to a secret in the secrets.nix file and give it "access" to a secret, agenix, when running on that destination NixOS machine can decrypt the secrets from the Nix store and then store the decrypted secret as a file under /run which is typically a memory-only filesystem (so they don't persist and need to be decrypted each reboot).

Putting all of this together, if you have a personal private key for admin purposes (i.e., adding and editing secrets), you would give the corresponding public key access to the secrets so the public key is used to encrypt the value. The public keys of any machines (i.e the SSH public key, which ssh-keyscan gives you) are also added as public keys and used for encryption for the secret. Only the machines and users with access to the private key for any of those identities however can actually decrypt the secret. Does that make more sense?

rane [they/them]: thanks so much for your explanations, I think I'm starting to understand. I'm kind of a visual learner, so I diagrammed out my current setup here. Maybe that will shed light on where my misunderstanding lies.

A private key only needs to be present when you are decrypting the existing values

But what public key does this private key correspond to? One of the public keys defined and assigned to the secret in secrets.nix? Or one of the original keys in identityPaths that encrypted the secret?

A yubikey is just one thing you use

So I would have a public key entry in secrets.nix for the YubiKey just as I would for a host?

So if you store the public key of a machine which needs access to a secret in the secrets.nix file and give it "access" to a secret, agenix,

I think I have this part, because when I get a new host (non-server), I generate a new keypair on that machine and add the pubkey to secrets.nix. I then add that key as a target in secrets.nix. (for the secrets defined in user_secrets.nix)? But obviously I'm missing something when trying to rekey my secrets for the new machine, because the operation does not generate new files.