!XLCFfvFhUkYwOMLbVx:nixos.org

agenix

355 Members
age-encrypted secrets for NixOS https://github.com/ryantm/agenix/90 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
14 Jan 2024
@xxxcrow:matrix.orgn3v3r_a9a1n
In reply to @happyalu:matrix.org
I was using git-crypt with yubikey before, and just switched to sops-nix.
Is yubikey working for you right now?
If yes, can you show me the way to do this, please, i can't find clues 💀 		17:36:32
@oddlama:matrix.orgoddlamaDo you want to use your yubikey to decrypt on system activation, or do you want to use it to store encrypted secrets in your repository which are then rekeyed for the host before deploying?21:02:08
@edgar.vincent:matrix.org@edgar.vincent:matrix.org left the room.22:34:50
15 Jan 2024
@xxxcrow:matrix.orgn3v3r_a9a1n
In reply to @oddlama:matrix.org
Do you want to use your yubikey to decrypt on system activation, or do you want to use it to store encrypted secrets in your repository which are then rekeyed for the host before deploying?
First!
The second one i just don't understand 😅 		02:31:47
@happyalu:matrix.orgAlok Parlikar
In reply to @xxxcrow:matrix.org
Is yubikey working for you right now?
If yes, can you show me the way to do this, please, i can't find clues 💀

I'm using gpg on my yubikey to encrypt secrets in the repo. sops-nix decrypts them at system activation. Yubikey is not (needeed to be) present during the activation. Not sure if that matches with what you are trying to do.

I found these resources helpful:

  1. create ECC based gpg key. https://illuad.fr/2020/10/06/build-an-openpgp-key-based-on-ecc.html
  2. add the key to yubikey. https://illuad.fr/2020/10/07/store-openpgp-keys-on-a-yubikey.html

After that I just followed the sops-nix readme to add my gpg key fingerprint to the .sops.yaml file.

04:52:19
@xxxcrow:matrix.orgn3v3r_a9a1n
In reply to @happyalu:matrix.org

I'm using gpg on my yubikey to encrypt secrets in the repo. sops-nix decrypts them at system activation. Yubikey is not (needeed to be) present during the activation. Not sure if that matches with what you are trying to do.

I found these resources helpful:

  1. create ECC based gpg key. https://illuad.fr/2020/10/06/build-an-openpgp-key-based-on-ecc.html
  2. add the key to yubikey. https://illuad.fr/2020/10/07/store-openpgp-keys-on-a-yubikey.html

After that I just followed the sops-nix readme to add my gpg key fingerprint to the .sops.yaml file.

Does not need to be present during activation? Because it stored in the agent? 🤔 		04:56:01
@happyalu:matrix.orgAlok Parlikar
In reply to @xxxcrow:matrix.org
Does not need to be present during activation? Because it stored in the agent? 🤔
oh i missed one quite important detail. I use the yubikey mainly so I can edit my secrets anywhere. For the host, I use the ssh key of the host (with ssh-to-age) for decryption. 		04:58:37
@happyalu:matrix.orgAlok Parlikar
In reply to @happyalu:matrix.org
oh i missed one quite important detail. I use the yubikey mainly so I can edit my secrets anywhere. For the host, I use the ssh key of the host (with ssh-to-age) for decryption.
I'm not sure if yubikey based gpg key can actually be used at system boot -- i'm not sure if it can be done. 		04:59:15

Show newer messages

Back to Room ListRoom Version: 6