Skip to content

Commit

Permalink
Add YubiKey usage docs
Browse files Browse the repository at this point in the history
  • Loading branch information
nrdxp committed Jun 7, 2021
1 parent 52cb9ed commit 2ebfe0a
Show file tree
Hide file tree
Showing 5 changed files with 74 additions and 24 deletions.
1 change: 1 addition & 0 deletions .envrc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
use nix
20 changes: 20 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,24 @@ randomness in `age`'s encryption algorithms, the files always change
when rekeyed, even if the identities do not. (This eventually could be
improved upon by reading the identities from the age file.)

## YubiKey Support

There is now a rage plugin to allow for encrypting age files with a YubiKey.
Agenix offers preliminary support for this use case.

For ease of use, the required `age-plugin-yubikey` binary is included in the
agenix devshell. In general, rage plugins are searched for in the system `PATH`,
so make sure, if not using the shell, that `age-plugin-yubikey` exists in your
path.

Be sure to setup your YubiKey as outlined in the official
[plugin instructions][yk-plugin].

Once you have a proper key generated, run `age-plugin-yubikey -i > yubi_id`
to save the identity for the key. Consider the `recipient` as the public key,
set it accordingly in `secrets.nix`, and invoke agenix as
`agenix -i yubi_id # ...` to target the yubikey identity.

## Threat model/Warnings

This project has not be audited by a security professional.
Expand All @@ -201,3 +219,5 @@ out for simplicity in `age`.
## Acknowledgements

This project is based off of [sops-nix](https://github.com/Mic92/sops-nix) created Mic92. Thank you to Mic92 for inspiration and advice.

[yk-plugin]: https://github.com/str4d/age-plugin-yubikey#usage
70 changes: 46 additions & 24 deletions flake.nix
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,51 @@
description = "Secret management with age";

outputs = { self, nixpkgs }:
let
agenix = system: nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {};
in {

nixosModules.age = import ./modules/age.nix;

overlay = import ./overlay.nix;

packages."aarch64-linux".agenix = agenix "aarch64-linux";
defaultPackage."aarch64-linux" = self.packages."aarch64-linux".agenix;

packages."i686-linux".agenix = agenix "i686-linux";
defaultPackage."i686-linux" = self.packages."i686-linux".agenix;

packages."x86_64-darwin".agenix = agenix "x86_64-darwin";
defaultPackage."x86_64-darwin" = self.packages."x86_64-darwin".agenix;

packages."x86_64-linux".agenix = agenix "x86_64-linux";
defaultPackage."x86_64-linux" = self.packages."x86_64-linux".agenix;
checks."x86_64-linux".integration = import ./test/integration.nix {
inherit nixpkgs; pkgs = nixpkgs.legacyPackages."x86_64-linux"; system = "x86_64-linux";
let
agenix = system:
nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix { };
age-plugin-yubikey = system:
nixpkgs.legacyPackages.${system}.callPackage
./pkgs/age-plugin-yubikey.nix
{ };
in
{

nixosModules.age = import ./modules/age.nix;

overlay = import ./overlay.nix;

packages."aarch64-linux".agenix = agenix "aarch64-linux";
defaultPackage."aarch64-linux" = self.packages."aarch64-linux".agenix;

packages."i686-linux".agenix = agenix "i686-linux";
defaultPackage."i686-linux" = self.packages."i686-linux".agenix;

packages."x86_64-darwin".agenix = agenix "x86_64-darwin";
defaultPackage."x86_64-darwin" = self.packages."x86_64-darwin".agenix;

packages."x86_64-linux".agenix = agenix "x86_64-linux";
defaultPackage."x86_64-linux" = self.packages."x86_64-linux".agenix;
checks."x86_64-linux".integration = import ./test/integration.nix {
inherit nixpkgs;
pkgs = nixpkgs.legacyPackages."x86_64-linux";
system = "x86_64-linux";
};

devShell."aarch64-linux" = import ./shell.nix {
pkgs = nixpkgs.legacyPackages."aarch64-linux";
};

devShell."i686-linux" = import ./shell.nix {
pkgs = nixpkgs.legacyPackages."i686-linux";
};

devShell."x86_64-darwin" = import ./shell.nix {
pkgs = nixpkgs.legacyPackages."x86_64-darwin";
};

devShell."x86_64-linux" = import ./shell.nix {
pkgs = nixpkgs.legacyPackages."x86_64-linux";
};
};

};

}
1 change: 1 addition & 0 deletions overlay.nix
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
final: prev:
{
agenix = prev.callPackage ./pkgs/agenix.nix { };
age-plugin-yubikey = prev.callPackage ./pkgs/age-plugin-yubikey.nix { };
}
6 changes: 6 additions & 0 deletions shell.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{ pkgs ? import <nixpkgs> { }
, agenix ? pkgs.callPackage ./pkgs/agenix.nix { }
, age-plugin-yubikey ? pkgs.callPackage ./pkgs/age-plugin-yubikey.nix { }
, ...
}:
pkgs.mkShell { buildInputs = [ agenix age-plugin-yubikey ]; }

0 comments on commit 2ebfe0a

Please sign in to comment.