Integration with age plugins

[vtuan10]

This adds support for age plugins, such as the YubiKey.

PR to add age-plugin-yubikey to nixpkgs: NixOS/nixpkgs#152042

[veehaitch]

Thanks for the plugin integration test. This is very helpful 🙏🏻

[vtuan10]

Added a check age-plugin in flake.nix.
The idea ist to build the example in rage and use the resulting age-plugin-unencrypted. The check tries to

• "encrypt" according to secrets.nix
• "decrypt" it with rage to check if the above worked
• "rekey" it
  But currently it fails with failed to execute nix on both Linux and Darwin. Will look into it a bit more 😅

[vtuan10]

Added a check age-plugin in flake.nix. The idea ist to build the example in rage and use the resulting age-plugin-unencrypted. The check tries to

* "encrypt" according to [secrets.nix](example/plugin-example/secrets.nix)

* "decrypt" it with `rage` to check if the above worked

* "rekey" it
  But currently it fails with `failed to execute nix` on both Linux and Darwin. Will look into it a bit more 😅

After requiring recursive-nix and setting the correct permission, it finally works

[veehaitch]

Interesting approach! This wouldn't work, however, if the ragenix package itself isn't in PATH. I'd suggest wrapping the resulting binary if any plugins are given. Please see the commit I added.

[pinpox]

Since this has been merged, how do I use my yubikey with ragenix?

[vtuan10]

Since this has been merged, how do I use my yubikey with ragenix?

As the age-plugin-yubikey is added to nixpkgs now, use

nix shell nixpkgs#age-plugin-yubikey

to install it into your current session. Follow the instructions on age-plugin-yubikey to generate an identity.

Then enable the plugin in ragenix by overriding it to add the age-plugin-yubikey to the plugins. I'm not sure how you install ragenix, I have this in my configuraton.nix:

let
  ragenix-with-plugins = with pkgs; ragenix.override { plugins = [ age-plugin-yubikey ]; };
in
{
  environment.systemPackages = with pkgs; [
    ragenix-with-plugins
  ];
}

Now you can use the generated identity file as any other age identity file to decrypt secrets. To get the recipient for encryption run age-plugin-yubikey --list-all.

[veehaitch]

Strictly speaking, bringing age-plugin-yubikey in scope (i.e., it's part of your PATH) is sufficient. ragenix will pick it up correctly even without overriding the derivation. Overriding is only useful if you don't usually have age-plugin-yubikey in your PATH.

[veehaitch]

By the way, the manpage (man 1 ragenix) should also cover this: https://htmlpreview.github.io/?https://github.com/yaxitech/ragenix/blob/main/docs/ragenix.1.html#PLUGINS

[pinpox]

I just noticed there is no way to backup the identity when using that plugin, or am I mistaken? That is a bit concerning, loosing or destroying the yubikey would mean loosing access to the secrets?

[vtuan10]

As far as I know, the age-plugin-yubikey does not officially state support for this. However there exists a comment how you can achieve this from the author of the plugin himself:

str4d/age-plugin-yubikey#39 (comment)

As far as this goes, I would suggest you create issues/feature requests on the plugin's site, as this does not really fall into ragenix's responsibilities.

[pinpox]

Thanks for the info. I'll have to think of a recovery strategy then, not sure yet where to go from here.

[vtuan10]

Thanks for the info. I'll have to think of a recovery strategy then, not sure yet where to go from here.

Personally I suggest either buy a second yubikey or just generate a second age key, which you securely store on a separate usb stick