| 18 Nov 2025 |
|  @eschguy:matrix.org left the room. | 20:47:57 |
| 19 Nov 2025 |
|  tioan joined the room. | 19:38:35 |
| 20 Nov 2025 |
|  John joined the room. | 05:37:45 |
| 21 Nov 2025 |
|  jappie joined the room. | 17:01:57 |
|  isabel changed their profile picture. | 18:14:24 |
| 23 Nov 2025 |
 Alexandros Liarokapis | Hi there. Is there an actual security advantage of not keeping secrets decrypted at rest say at /var/lib/agenix/secrets or similar and instead decrypting on startup? What is the threat model here exactly? If they could get access to /var/lib/agenix/secrets or similar they should also be able to get access to private decryption keys | 23:12:11 |
 K900 | You still need to redecrypt on activation | 23:14:09 |
| K900 | And activation generally runs before everything else. | 23:14:17 |
| K900 | So it doesn't really matter in practice | 23:14:27 |
| K900 | I feel like a better question is, what are you trying to do where this difference matters? | 23:15:25 |
| Alexandros Liarokapis | The reason I am asking is because I am writing a small bitwarden secret manager module which would fetch secrets through network call so I want some way to store the secrets in case network is not available and thinking whether or not keeping encrypted at rest gives any security advantage. I can see this being the case if TPM is used to store the key for example but not for normal ssh keys. | 23:15:21 |
| Alexandros Liarokapis | idea is you add the machine-scoped/project-scoped/secret-scoped BWS key on /var/lib/bws/auth or similar. Rest of the interface is pretty much the same as agenix minus the age/ssh-specific configs and using .id instead of .file And I am kind of split between keeping the secrets at /var/lib/bws/secrets unencrypted but with proper permissions or encrypting with some identity key as agenix and decrypting on startup to /run/secrets but I don't think the latter gives any security advantage in practice, I /could/ use TPM however which would give some protection against stolen disk contents. | 23:19:08 |
| 3 Dec 2025 |
|  Gus joined the room. | 12:29:10 |
| 4 Dec 2025 |
|  @onur-ozkan:matrix.org joined the room. | 04:20:47 |
| isabel changed their profile picture. | 16:42:13 |
| 11 Dec 2025 |
|  suua joined the room. | 16:11:07 |
| 12 Dec 2025 |
|  whispers [& it/fae] changed their profile picture. | 04:51:16 |
| 13 Dec 2025 |
|  @MartiniMoe:matrix.org left the room. | 07:35:43 |
|  Josh joined the room. | 22:41:55 |
| Josh | Redacted or Malformed Event | 23:20:22 |
| Josh changed their display name from Joshua Campbell to Josh. | 23:25:01 |
| 16 Dec 2025 |
|  @azahi:azahi.cc joined the room. | 18:22:06 |
| 17 Dec 2025 |
|  aura joined the room. | 11:03:34 |
| 24 Dec 2025 |
|  pltrz joined the room. | 12:36:21 |
| 26 Dec 2025 |
| isabel changed their profile picture. | 11:37:59 |
| jappie changed their display name from jappie to jappie @ 39c3. | 15:49:41 |
| 27 Dec 2025 |
| jappie changed their display name from jappie @ 39c3 to jasper @ 39c3 ☎️ 62749. | 13:30:50 |
|  gabyx joined the room. | 22:34:34 |
| gabyx | Hi all, I was wondering if its possible that agenix can reference a symlink like:
{
age.secrets.monitrc.file = ../secrets/monitrc.age; # <<- this is a symlink to another file somewhere else (submodule) in the repository
}
apparently the above does not work so far.
I wanted to separate out some secrets into private submodules.
| 22:36:57 |
 hexa | https://github.com/FiloSottile/age/releases/tag/v1.3.0 | 22:37:11 |
