From 2ebfe0ac91f4c545057f66b49a20e59feb6249a1 Mon Sep 17 00:00:00 2001 From: Timothy DeHerrera Date: Mon, 7 Jun 2021 14:05:35 -0600 Subject: [PATCH] Add YubiKey usage docs --- .envrc | 1 + README.md | 20 +++++++++++++++ flake.nix | 70 +++++++++++++++++++++++++++++++++++------------------ overlay.nix | 1 + shell.nix | 6 +++++ 5 files changed, 74 insertions(+), 24 deletions(-) create mode 100644 .envrc create mode 100644 shell.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..1d953f4 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use nix diff --git a/README.md b/README.md index c53e951..8d9fb38 100644 --- a/README.md +++ b/README.md @@ -183,6 +183,24 @@ randomness in `age`'s encryption algorithms, the files always change when rekeyed, even if the identities do not. (This eventually could be improved upon by reading the identities from the age file.) +## YubiKey Support + +There is now a rage plugin to allow for encrypting age files with a YubiKey. +Agenix offers preliminary support for this use case. + +For ease of use, the required `age-plugin-yubikey` binary is included in the +agenix devshell. In general, rage plugins are searched for in the system `PATH`, +so make sure, if not using the shell, that `age-plugin-yubikey` exists in your +path. + +Be sure to setup your YubiKey as outlined in the official +[plugin instructions][yk-plugin]. + +Once you have a proper key generated, run `age-plugin-yubikey -i > yubi_id` +to save the identity for the key. Consider the `recipient` as the public key, +set it accordingly in `secrets.nix`, and invoke agenix as +`agenix -i yubi_id # ...` to target the yubikey identity. + ## Threat model/Warnings This project has not be audited by a security professional. @@ -201,3 +219,5 @@ out for simplicity in `age`. ## Acknowledgements This project is based off of [sops-nix](https://github.com/Mic92/sops-nix) created Mic92. Thank you to Mic92 for inspiration and advice. + +[yk-plugin]: https://github.com/str4d/age-plugin-yubikey#usage diff --git a/flake.nix b/flake.nix index 02221f1..e26424d 100644 --- a/flake.nix +++ b/flake.nix @@ -2,29 +2,51 @@ description = "Secret management with age"; outputs = { self, nixpkgs }: - let - agenix = system: nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {}; - in { - - nixosModules.age = import ./modules/age.nix; - - overlay = import ./overlay.nix; - - packages."aarch64-linux".agenix = agenix "aarch64-linux"; - defaultPackage."aarch64-linux" = self.packages."aarch64-linux".agenix; - - packages."i686-linux".agenix = agenix "i686-linux"; - defaultPackage."i686-linux" = self.packages."i686-linux".agenix; - - packages."x86_64-darwin".agenix = agenix "x86_64-darwin"; - defaultPackage."x86_64-darwin" = self.packages."x86_64-darwin".agenix; - - packages."x86_64-linux".agenix = agenix "x86_64-linux"; - defaultPackage."x86_64-linux" = self.packages."x86_64-linux".agenix; - checks."x86_64-linux".integration = import ./test/integration.nix { - inherit nixpkgs; pkgs = nixpkgs.legacyPackages."x86_64-linux"; system = "x86_64-linux"; + let + agenix = system: + nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix { }; + age-plugin-yubikey = system: + nixpkgs.legacyPackages.${system}.callPackage + ./pkgs/age-plugin-yubikey.nix + { }; + in + { + + nixosModules.age = import ./modules/age.nix; + + overlay = import ./overlay.nix; + + packages."aarch64-linux".agenix = agenix "aarch64-linux"; + defaultPackage."aarch64-linux" = self.packages."aarch64-linux".agenix; + + packages."i686-linux".agenix = agenix "i686-linux"; + defaultPackage."i686-linux" = self.packages."i686-linux".agenix; + + packages."x86_64-darwin".agenix = agenix "x86_64-darwin"; + defaultPackage."x86_64-darwin" = self.packages."x86_64-darwin".agenix; + + packages."x86_64-linux".agenix = agenix "x86_64-linux"; + defaultPackage."x86_64-linux" = self.packages."x86_64-linux".agenix; + checks."x86_64-linux".integration = import ./test/integration.nix { + inherit nixpkgs; + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + system = "x86_64-linux"; + }; + + devShell."aarch64-linux" = import ./shell.nix { + pkgs = nixpkgs.legacyPackages."aarch64-linux"; + }; + + devShell."i686-linux" = import ./shell.nix { + pkgs = nixpkgs.legacyPackages."i686-linux"; + }; + + devShell."x86_64-darwin" = import ./shell.nix { + pkgs = nixpkgs.legacyPackages."x86_64-darwin"; + }; + + devShell."x86_64-linux" = import ./shell.nix { + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + }; }; - - }; - } diff --git a/overlay.nix b/overlay.nix index de0e8a6..4a1c726 100644 --- a/overlay.nix +++ b/overlay.nix @@ -1,4 +1,5 @@ final: prev: { agenix = prev.callPackage ./pkgs/agenix.nix { }; + age-plugin-yubikey = prev.callPackage ./pkgs/age-plugin-yubikey.nix { }; } diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..754d425 --- /dev/null +++ b/shell.nix @@ -0,0 +1,6 @@ +{ pkgs ? import { } +, agenix ? pkgs.callPackage ./pkgs/agenix.nix { } +, age-plugin-yubikey ? pkgs.callPackage ./pkgs/age-plugin-yubikey.nix { } +, ... +}: +pkgs.mkShell { buildInputs = [ agenix age-plugin-yubikey ]; }