Comments (6)
We have something that might be helpful when you try to hack this together:
#!/usr/bin/env bash
set -euo pipefail
if [ -n "${VISOPS_PIPE:-}" ]; then
declare SOPS_AGE_KEY_FILE
SOPS_AGE_KEY_FILE="$(mktemp -p /dev/shm)"
export SOPS_AGE_KEY_FILE
trap 'rm -f "${SOPS_AGE_KEY_FILE}"' INT TERM EXIT
eval "${VISOPS_PIPE}" > "${SOPS_AGE_KEY_FILE}"
fi
sops "${@}"
Essentially this allow you to do something like:
export VISOPS_PIPE='pass whatever/key | ssh-to-age -private-key'
$THE_SCRIPT_FROM_ABOVE -d myfile.yml
from sops-nix.
Would gnupg keys not be a better fit for you usecase?
from sops-nix.
I think age itself also supports password protected ssh keys? Maybe you can use age to decrypt another age key that is passed to sops. I have no plans on having support for this in sops-nix itself, but I would link to tutorials allowing this.
from sops-nix.
So in particular i want to move away from GPG for many reasons (basically what's listed in the blog post that is linked in the README). It really is more an issue of underlying sops but i opened the issue here because i thought maybe we can work around this using some nix shells as you described "Maybe you can use age to decrypt another age key that is passed to sops".
Personally I think it's odd that sops recommends age over gpg but then doesn't support passphrase protected keys.
I might hack around a bit with this when I find time and update this thread.
Thanks for your time!
from sops-nix.
Yeah something like should solve your issue.
from sops-nix.
You can also replace it with your favorite password manager
from sops-nix.
Related Issues (20)
- Error with DynamicUsers sevice config HOT 3
- setupSecretsForUsers fails when only ssh_host_ed25519_key is provided through nixos-everywhere HOT 3
- tpm2 support HOT 1
- binary secrets are no longer interpolated HOT 1
- README.md: Real-world examples are outdated/contain dead links HOT 1
- Sphinx build error nixos 23.11 HOT 8
- Arrays throw error on system rebuild HOT 4
- Quantum-resistant cryptography? HOT 1
- Not restarting home-manager service when rebuilding HOT 4
- Possible to interpolate target paths? HOT 2
- Conflicts with Perlless Activation HOT 8
- Decryption not working with pgp key derived from ssh host key HOT 7
- Sops nix as a home-manager module does not create a symlink HOT 22
- Is there a technical reason why yaml aliases are expanded at encryption time? HOT 1
- encrypted yaml with lists sops nixos HOT 2
- [Feature?] Use from devShell flake with direnv HOT 3
- support encrypting plain passwords for hashedPasswordFiles HOT 5
- Binary data embedded in yaml secret file causes template rendering error
- error: attribute 'placeholder' missing HOT 3
- Bug: Failed to set user authorized SSH key file from secret HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sops-nix.