-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integration with age plugins #68
Conversation
With the release of [rage v0.6.0](https://github.com/str4d/rage/releases/tag/v0.6.0) a plugin system was introduced. Using this plugin system rage supports identities and recipients from third-parties such as the [YubiKey](https://github.com/str4d/age-plugin-yubikey).
60ee732
to
fb7870f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the plugin integration test. This is very helpful 🙏🏻
Added a check
|
d49547c
to
9413a18
Compare
After requiring |
aa033f7
to
579a991
Compare
3dbef4b
to
f1184b9
Compare
4de1ca6
to
ba5a538
Compare
ba5a538
to
ce9f77a
Compare
flake.nix
Outdated
# Symlink the plugins | ||
for plugin in "${builtins.concatStringsSep " " plugins}"; do | ||
ln -sf $plugin/bin/* $out/bin/ | ||
done |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting approach! This wouldn't work, however, if the ragenix
package itself isn't in PATH
. I'd suggest wrapping the resulting binary if any plugins
are given. Please see the commit I added.
* Add integration with rage plugins * Update rage to v0.7.0 * Add age-plugin test * Add plugin argument to ragenix Co-authored-by: Vincent Haupert <[email protected]>
* Add integration with rage plugins * Update rage to v0.7.0 * Add age-plugin test * Add plugin argument to ragenix Co-authored-by: Vincent Haupert <[email protected]>
Since this has been merged, how do I use my yubikey with ragenix? |
As the nix shell nixpkgs#age-plugin-yubikey to install it into your current session. Follow the instructions on Then enable the plugin in let
ragenix-with-plugins = with pkgs; ragenix.override { plugins = [ age-plugin-yubikey ]; };
in
{
environment.systemPackages = with pkgs; [
ragenix-with-plugins
];
} Now you can use the generated identity file as any other age identity file to decrypt secrets. To get the recipient for encryption run |
Strictly speaking, bringing |
By the way, the manpage ( |
I just noticed there is no way to backup the identity when using that plugin, or am I mistaken? That is a bit concerning, loosing or destroying the yubikey would mean loosing access to the secrets? |
As far as I know, the str4d/age-plugin-yubikey#39 (comment) As far as this goes, I would suggest you create issues/feature requests on the plugin's site, as this does not really fall into |
Thanks for the info. I'll have to think of a recovery strategy then, not sure yet where to go from here. |
Personally I suggest either buy a second yubikey or just generate a second age key, which you securely store on a separate usb stick |
This adds support for age plugins, such as the YubiKey.
PR to add
age-plugin-yubikey
tonixpkgs
: NixOS/nixpkgs#152042