20 Aug 2024 |
@pascal.dietrich:mintux.de | Hi, I store multiple secrets using the same SSH key with agenix but every time I rebuild my system, I have to enter the password of the key for each secret. Is there an option to only enter it once? | 22:36:07 |
21 Aug 2024 |
| eyJhb joined the room. | 19:20:47 |
22 Aug 2024 |
uep | you shouldn't have to enter it at all | 08:58:51 |
uep | the secrets should be decrypted on the host at runtime, not during build. Something is amiss with your config it seems. | 09:00:07 |
uep | the only time you should need to enter your user key is when editing or rekeying secrets to additional hosts | 09:01:32 |
@pascal.dietrich:mintux.de | In reply to @uep:matrix.org you shouldn't have to enter it at all My key has a password so I should have to enter it at some point. | 09:12:45 |
@pascal.dietrich:mintux.de | In reply to @uep:matrix.org the secrets should be decrypted on the host at runtime, not during build. Something is amiss with your config it seems. Could it be that this happens because I also switch the generation and not only rebuild? | 09:12:55 |
@pascal.dietrich:mintux.de | But I'll look in the docs again. | 09:13:08 |
uep | Secrets should be encrypted to several keys:
- the ssh host public key of each system that needs it, to be decrypted at boot / activation
- the user public key of each admin that needs to edit or change the config, such as when re-encrypting to add a new host
Note, in particular, that neither of these happens during build (but, yes, switch involves activation that should not involve a user key)
| 19:06:01 |
@pascal.dietrich:mintux.de | On my system, I am the admin AND user with one single key. | 19:09:05 |
uep | yes | 19:09:20 |
uep | that's the second row. You still want the first row for the host key as well | 19:10:02 |
uep | the minimum useful case is one of each | 19:10:24 |
uep | more if the key is shared between hosts, there are multiple admins, backup keys, etc etc | 19:11:31 |
@pascal.dietrich:mintux.de | Or is the idea, that I have one key for me (eventually with a password) and one without one for the system? | 19:12:27 |
uep | I suspect your host won't boot properly and won't decrypt the secret except when you're running switch in a user session with sudo etc | 19:13:45 |
uep | thhd | 19:13:51 |
uep | * the ssh host key is the usual choice for that system key. yes. | 19:14:34 |
@pascal.dietrich:mintux.de | And why do I need two keys? Wouldn't one be sufficient technically? | 19:16:04 |
uep | yes but then you have to enter it on every boot and activation, which is what you're complaining about :) | 19:17:11 |
@pascal.dietrich:mintux.de | Ok. Makes sense. | 19:17:39 |
uep | you need two keys, one (at least) for each of the circumstances in the dot points above | 19:18:06 |
uep | if you really want just one key, it should be the host key, and you decide you never want an admin to edit it (perhaps you just generate an entirely new secret whenever a change happens) | 19:20:21 |
uep | think of it like sending a message to the future host while it boots, it needs to be able to decrypt your message | 19:22:01 |
@pascal.dietrich:mintux.de | Ok. Thanks a lot for your explanations. | 19:22:59 |
uep | np, good luck | 19:23:18 |
29 Aug 2024 |
| @feathecutie:tchncs.de left the room. | 12:40:43 |
31 Aug 2024 |
| undltd joined the room. | 15:33:53 |
undltd | Hi everyone. Is there a way to specify in secrets.nix something like "mysecret-*.age" = [ key1 key2 ] so that I don't have to list every file explicitly? | 15:37:23 |
undltd | Hi everyone. Is there a way to specify in secrets.nix something like "mysecret-*.age".publicKeys = [ key1 key2 ] so that I don't have to list every file explicitly? | 15:38:05 |