Passphrase protecting age keys about sops-nix HOT 6 CLOSED

We have something that might be helpful when you try to hack this together:

#!/usr/bin/env bash
set -euo pipefail

if [ -n "${VISOPS_PIPE:-}" ]; then
	declare SOPS_AGE_KEY_FILE
	SOPS_AGE_KEY_FILE="$(mktemp -p /dev/shm)"
	export SOPS_AGE_KEY_FILE
	trap 'rm -f "${SOPS_AGE_KEY_FILE}"' INT TERM EXIT
	eval "${VISOPS_PIPE}" > "${SOPS_AGE_KEY_FILE}"
fi
sops "${@}"

Essentially this allow you to do something like:

export VISOPS_PIPE='pass whatever/key | ssh-to-age -private-key'
$THE_SCRIPT_FROM_ABOVE -d myfile.yml

from sops-nix.

Would gnupg keys not be a better fit for you usecase?

from sops-nix.

I think age itself also supports password protected ssh keys? Maybe you can use age to decrypt another age key that is passed to sops. I have no plans on having support for this in sops-nix itself, but I would link to tutorials allowing this.

from sops-nix.

So in particular i want to move away from GPG for many reasons (basically what's listed in the blog post that is linked in the README). It really is more an issue of underlying sops but i opened the issue here because i thought maybe we can work around this using some nix shells as you described "Maybe you can use age to decrypt another age key that is passed to sops".

Personally I think it's odd that sops recommends age over gpg but then doesn't support passphrase protected keys.

I might hack around a bit with this when I find time and update this thread.

Thanks for your time!

from sops-nix.

Yeah something like should solve your issue.

from sops-nix.

You can also replace it with your favorite password manager

from sops-nix.