This is the coolest thing ever. I was getting so confused as to what to use between agenix vs sops. And sops now appears like a clear winner for automation. Thanks to your video that helped with conviction.
I am coming here to say this: This is 100% the best series on this topic! These videos along with your accompanying website were an insane blessing to have. Outside of this tutorial there are exactly 0 articles, or guides on how to set up sops-nix with a git private key. Everyone has tutorials over how to setup Wireguard, Passwords, but no one has put in what seemingly to many is such a small detail. When I adapted your code from the home manager section to actually place the key at the correct location, and did a rebuild it worked flawlessly. Cannot thank you enough for this series!
amazing video. great quality and so clearly explained for a for a fomplef topic. i watch a lot of tech content and nix specifically and this is close to the top.
Thanks for the great video. I'm using sops-nix with an age text file key and it works great. I'm a bit confused about the use of the public ssh key to generate an age public key: how do you manage the ssh key upon reinstall of the system? In other words, can you make your ssh key invariant to ensure that the private age key define in .sops.yaml always match your private ssh key in /etc/ssh ?
Thanks for the compliment, I'm glad you enjoyed the video. There two ways to handle the ssh key situation on reinstall. The first would be to copy the system's ssh key prior to reinstall and then write it to the reinstalled system after. Actually, when you're booted to the nixos installer environment you can write the ssh key pair to `/mnt/etc/ssh` and then when the install is executed the keys are written to the system. Pro: no need to update .sops.yaml and updatekeys on secrets.yaml Con: need to copy or have a back up of the original ssh key and put it on the reinstalled system The second would be to accept that the old ssh key will be paved and instead, generate a new age key for the system derived from the new ssh key. You'd just update the .sops.yaml to replace the original age public key with the new one and run a sops updatekeys command to encrypt the secrets appropriate. Pro: no need to move copies of the ssh key around Con: you need to update .sops.yaml and updatekys on secrets.yaml There may actually be other options but those are the two that I would consider. They both require a similar amount of effort but in different ways. If it's a scenario that you're running into frequently you could look into automating parts of the process with scripts. I'm experimenting with automating remote installation at the moment and currently have it set up so that, prior to install, an ssh key for the target system is generated on a source system, age keys are derived, my .sops.yaml and secrets are updated, and the ssh keys are injected into the installer. It's been a lot of fun trial and error but it's all automatic. Is that helpful? Let me know how it goes.
@@Emergent_Mind thanks a lot for the detailed answer. It makes lots of sense and I'll experiment a bit with the two options once I'm back from holiday.
Hi, you're welcome. I'm not entirely sure I understand your question but let me try to provide an answer. The key or keys you use to encrypt/decrypt your secrets file don't have to be derived from the host's ssh key if you don't want them to be. Deriving an age key from the host ssh key simply means that you don't have to store a separate age private key for host because it already has the ssh key. Regardless of how you generate the keys, you will need to use sops to decrypt/encrypt the secrets. I hope that helps. Thanks for watching and commenting.
Hi there, I have but it not since I was testing it out early on. There are many potential issues that could occur there so I'm not sure how to help. Maybe post your issue with some additional context on discourse.nixos.org/ I'll keep an eye out for it but I do happen to be headed on vacation for a couple of weeks so hopefully someone else can point you in the right direction. Let me know how it goes and thanks for watching!
I like the option of using ssh-host-key for different hosts, but what about reinstalling the system? I mean, yes, we have a backup dev key and we won’t lose the ability to decrypt secrets.yaml, but with a new installation, the host key will change, which means we need to copy the dev key to the host, then do sops updatekeys and add the new public age key of the host to . sops.yaml. Did I miss anything? Perhaps you know a better way?
What you described is correct. Alternatively, you could backup the 'known' host ssh key prior to reinstall and then overwrite the autogenerated one with it, which would keep the .sops.yaml and age key data unchanged. Hard to say if one is more convenient than the other though. I am working on some remote install automation at the moment, which includes handling secrets management with a private repo, and automatically generates keys and updates .sops.yaml accordingly. It's still a work in progress because of other aspects of the process but it's close to being done. I'll be making some videos to describe it all when it's finished. Thanks for watching!
@Emergent_Mind I also store the host's private ssh key in the per-host secrets.yaml file. When reinstalling a host using nixos-anywhere, this key is copied to the target host and can directly be used to decrypt the sops secrets. Since you can have more keys to a sops encrypted file, I can also decrypt every sops file for editing using my gpg key. Works perfectly fine.
Absolutely phenomenal series. Thank you so much EmergentMind. I am trying to implement this right now with my config for both linux and mac. Would you use a different access key creation method for mac laptops if they dont have a host key? I must admit I am a little confused on what actually creates the host keys if you are using Darwin... i understood it to be in services.openssh (which isnt available in Darwin).
@@Emergent_Mindmuch appreciated! Thank you. Your nix configs (along with misterios and Ryan Yins) have been so freaking helpful in frankensteining my own. If you are discussing this stuff on GitHub I’m there under mcgilly17 as well (hope to have my configs published soon!).
I asked... He didn't have it documented but said he remembered just generating the key manually on mac and then copied it over. Sorry that's not very helpful. Iirc openssh is something that is planned for Darwin, so doing it manually for now and coming back to it later may be an option
I asked... He didn't have it documented but said he remembered just generating the key manually on mac and then copied it over. Sorry that's not very helpful. Iirc openssh is something that is planned for Darwin, so doing it manually for now and coming back to it later may be an option
Good video. Thanks for it. But I don't really share your opinion about RSA or PGP in general. RSA 4096bit is still very secure. And PGP is absolutely useful. I have a PGP key on a Smartcard (Nitrokey) which I use for SSH authentication, git commit signing, to en-/decrypt my sops secrets locally (ssh derived age keys decrypt it on the remote host) and casually to encrypt or sign a file here and there. Its so versatile and I don't wanna miss it. Everything under one RSA 4096bit GPG key.
That's fair, it's definitely got a place. My negative opinion of PGP stems largely from a distaste for how its implemented. I always found it confusing or problematic to use effectively in the past and have actively avoided it ever since. I'm sure it's improved since I last used it though. Thanks for watching and commenting. I'm glad you found it useful.
Hahaha, I suspected someone would call me out on that at some point. :) My disdain for PGP is specifically from consistently bad experiences using it over a couple decades. Every time I need it for more than a minimal touch, 'out-of-the-box' scenario I run into endless problems and often lose significant amounts of time trying to troubleshoot (often to no avail). I will admit that this is most likely my own failings more than an intrinsic problem with the technoloyg but I do find it needlessly convoluted. So really, I just avoid it whenever I can. Has your experience with it been positive? Thanks for watching and for the comment!
@@Emergent_Mind yeah, I was just genuinely interested to know if it had failings as means of protecting sensitive information, as I use GPG occasionally. It sounds like your concerns were more about usability rather than the security side, although granted, a security product that is difficult or especially confusing to use can result in the security one believes to have not actually being.
At t=663 you have a `cat -p ...`. What's up with that? Do you have a non-standard `cat`? It's a `bat` alias, isn't it. I would encourage you to use the proper names, or the standard utilities.
For 6:09 I had some issues with using nix-shell command in that format, so instead I went with "nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt" However the other one was working so no issues there.
Actually, there is a typo in that command, as @thepinkunicorn6 pointed out to me about the same time you commented. After the -p flag it should have been just "age" instead of "age-keygen". Glad you got it sorted out though! There are many ways to accomplish the same things and so much to learn :) Thanks for watching and commenting!
It seems like you have provided an unrelated statement. I'm not sure what you are asking. To clarify, could you please provide more context or rephrase your question? I'm here to help, and I'll do my best to provide a useful, helpful, and actionable answer once I understand your question. ;P no, I am not AI
I think you should just go for sharing how to do the dual key thing, even if not many may need it. I can tell you no one else will teach it I am also now curious, never even considered it as a possibility tbh
Thanks for the suggestion and your other comment! There are already a few things I would like to improve about how I presented this series. There are a lot of other topics I'm planning to cover in the near future but I've added the multi-key topic as something to go through, when this series eventually gets a revision. It's good to know what people are interested in hearing about!
This is the coolest thing ever. I was getting so confused as to what to use between agenix vs sops. And sops now appears like a clear winner for automation. Thanks to your video that helped with conviction.
Thanks for the comment, glad you found it useful!
Holly shit can’t believe the insane quality of nix UA-camrs that is starting out. Tyyyyyy!!!
Thanks for the compliment!
I am coming here to say this:
This is 100% the best series on this topic! These videos along with your accompanying website were an insane blessing to have. Outside of this tutorial there are exactly 0 articles, or guides on how to set up sops-nix with a git private key. Everyone has tutorials over how to setup Wireguard, Passwords, but no one has put in what seemingly to many is such a small detail. When I adapted your code from the home manager section to actually place the key at the correct location, and did a rebuild it worked flawlessly. Cannot thank you enough for this series!
Thank you for the kind compliment. I'm glad it was helpful!
Just from watching the first part I am amazed of the quality of your teaching. Really appreciate it as the topic is a bit niche :]
Thank you for the kind compliment! More to come.
Holly molly, for a long time I was trying to integrate my cli secrets with my nix configs. This is awesome buddy.
Glad this is helpful for you! Thanks for watching and commenting :)
You're doing god's work here. I've been looking on how to do this for a long time, thank you!
Thanks for the kind compliment. Glad the content is useful for you.
amazing video. great quality and so clearly explained for a for a fomplef topic. i watch a lot of tech content and nix specifically and this is close to the top.
Thanks for watching and for the compliment.
Thanks for the great video. I'm using sops-nix with an age text file key and it works great. I'm a bit confused about the use of the public ssh key to generate an age public key: how do you manage the ssh key upon reinstall of the system? In other words, can you make your ssh key invariant to ensure that the private age key define in .sops.yaml always match your private ssh key in /etc/ssh ?
Thanks for the compliment, I'm glad you enjoyed the video.
There two ways to handle the ssh key situation on reinstall.
The first would be to copy the system's ssh key prior to reinstall and then write it to the reinstalled system after. Actually, when you're booted to the nixos installer environment you can write the ssh key pair to `/mnt/etc/ssh` and then when the install is executed the keys are written to the system. Pro: no need to update .sops.yaml and updatekeys on secrets.yaml Con: need to copy or have a back up of the original ssh key and put it on the reinstalled system
The second would be to accept that the old ssh key will be paved and instead, generate a new age key for the system derived from the new ssh key. You'd just update the .sops.yaml to replace the original age public key with the new one and run a sops updatekeys command to encrypt the secrets appropriate. Pro: no need to move copies of the ssh key around Con: you need to update .sops.yaml and updatekys on secrets.yaml
There may actually be other options but those are the two that I would consider. They both require a similar amount of effort but in different ways. If it's a scenario that you're running into frequently you could look into automating parts of the process with scripts.
I'm experimenting with automating remote installation at the moment and currently have it set up so that, prior to install, an ssh key for the target system is generated on a source system, age keys are derived, my .sops.yaml and secrets are updated, and the ssh keys are injected into the installer. It's been a lot of fun trial and error but it's all automatic.
Is that helpful? Let me know how it goes.
@@Emergent_Mind thanks a lot for the detailed answer. It makes lots of sense and I'll experiment a bit with the two options once I'm back from holiday.
Awesome content! Thank you for sharing your secrets! :)
Thank you for watching!
Hello, thanks for the video. Can you edit the secret without the key.txt only with age derived from the host's ssh key? Or is it only for sops-nix?
Hi, you're welcome. I'm not entirely sure I understand your question but let me try to provide an answer. The key or keys you use to encrypt/decrypt your secrets file don't have to be derived from the host's ssh key if you don't want them to be. Deriving an age key from the host ssh key simply means that you don't have to store a separate age private key for host because it already has the ssh key. Regardless of how you generate the keys, you will need to use sops to decrypt/encrypt the secrets. I hope that helps.
Thanks for watching and commenting.
Small correction, at 6:15 after the -p flag it needs to just be "age", not "age-keygen" :)
You are correct; good catch. Thanks for pointing this out!
Have you tried to restore the backed up age private key contents? I've tried and I got checksum error when trying to decrypt with it.
Hi there, I have but it not since I was testing it out early on. There are many potential issues that could occur there so I'm not sure how to help. Maybe post your issue with some additional context on discourse.nixos.org/ I'll keep an eye out for it but I do happen to be headed on vacation for a couple of weeks so hopefully someone else can point you in the right direction. Let me know how it goes and thanks for watching!
I like the option of using ssh-host-key for different hosts, but what about reinstalling the system?
I mean, yes, we have a backup dev key and we won’t lose the ability to decrypt secrets.yaml, but with a new installation, the host key will change, which means we need to copy the dev key to the host, then do sops updatekeys and add the new public age key of the host to . sops.yaml.
Did I miss anything? Perhaps you know a better way?
What you described is correct. Alternatively, you could backup the 'known' host ssh key prior to reinstall and then overwrite the autogenerated one with it, which would keep the .sops.yaml and age key data unchanged. Hard to say if one is more convenient than the other though.
I am working on some remote install automation at the moment, which includes handling secrets management with a private repo, and automatically generates keys and updates .sops.yaml accordingly. It's still a work in progress because of other aspects of the process but it's close to being done. I'll be making some videos to describe it all when it's finished.
Thanks for watching!
@Emergent_Mind I also store the host's private ssh key in the per-host secrets.yaml file. When reinstalling a host using nixos-anywhere, this key is copied to the target host and can directly be used to decrypt the sops secrets. Since you can have more keys to a sops encrypted file, I can also decrypt every sops file for editing using my gpg key. Works perfectly fine.
Absolutely phenomenal series. Thank you so much EmergentMind. I am trying to implement this right now with my config for both linux and mac. Would you use a different access key creation method for mac laptops if they dont have a host key? I must admit I am a little confused on what actually creates the host keys if you are using Darwin... i understood it to be in services.openssh (which isnt available in Darwin).
I'm glad this has been valuable for you. I'm not what the service is called on Darwin either but I'll ask someone who knows and get back you.
@@Emergent_Mindmuch appreciated! Thank you. Your nix configs (along with misterios and Ryan Yins) have been so freaking helpful in frankensteining my own.
If you are discussing this stuff on GitHub I’m there under mcgilly17 as well (hope to have my configs published soon!).
@@Emergent_Mind Thank you so much! Appreciate any help I can get!
I asked... He didn't have it documented but said he remembered just generating the key manually on mac and then copied it over. Sorry that's not very helpful. Iirc openssh is something that is planned for Darwin, so doing it manually for now and coming back to it later may be an option
I asked... He didn't have it documented but said he remembered just generating the key manually on mac and then copied it over. Sorry that's not very helpful. Iirc openssh is something that is planned for Darwin, so doing it manually for now and coming back to it later may be an option
Good video. Thanks for it. But I don't really share your opinion about RSA or PGP in general. RSA 4096bit is still very secure. And PGP is absolutely useful. I have a PGP key on a Smartcard (Nitrokey) which I use for SSH authentication, git commit signing, to en-/decrypt my sops secrets locally (ssh derived age keys decrypt it on the remote host) and casually to encrypt or sign a file here and there. Its so versatile and I don't wanna miss it. Everything under one RSA 4096bit GPG key.
That's fair, it's definitely got a place. My negative opinion of PGP stems largely from a distaste for how its implemented. I always found it confusing or problematic to use effectively in the past and have actively avoided it ever since. I'm sure it's improved since I last used it though.
Thanks for watching and commenting. I'm glad you found it useful.
Am interested to hear you elaborate on why PGP is no good.
Hahaha, I suspected someone would call me out on that at some point. :)
My disdain for PGP is specifically from consistently bad experiences using it over a couple decades. Every time I need it for more than a minimal touch, 'out-of-the-box' scenario I run into endless problems and often lose significant amounts of time trying to troubleshoot (often to no avail). I will admit that this is most likely my own failings more than an intrinsic problem with the technoloyg but I do find it needlessly convoluted. So really, I just avoid it whenever I can.
Has your experience with it been positive?
Thanks for watching and for the comment!
@@Emergent_Mind yeah, I was just genuinely interested to know if it had failings as means of protecting sensitive information, as I use GPG occasionally. It sounds like your concerns were more about usability rather than the security side, although granted, a security product that is difficult or especially confusing to use can result in the security one believes to have not actually being.
At t=663 you have a `cat -p ...`. What's up with that? Do you have a non-standard `cat`? It's a `bat` alias, isn't it. I would encourage you to use the proper names, or the standard utilities.
Thanks for the suggestion!I will keep this in mind for future videos.
For 6:09 I had some issues with using nix-shell command in that format, so instead I went with "nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt" However the other one was working so no issues there.
Actually, there is a typo in that command, as @thepinkunicorn6 pointed out to me about the same time you commented. After the -p flag it should have been just "age" instead of "age-keygen". Glad you got it sorted out though! There are many ways to accomplish the same things and so much to learn :)
Thanks for watching and commenting!
Delve? is this AI?
It seems like you have provided an unrelated statement. I'm not sure what you are asking.
To clarify, could you please provide more context or rephrase your question? I'm here to help, and I'll do my best to provide a useful, helpful, and actionable answer once I understand your question.
;P no, I am not AI
I think you should just go for sharing how to do the dual key thing, even if not many may need it. I can tell you no one else will teach it I am also now curious, never even considered it as a possibility tbh
Thanks for the suggestion and your other comment! There are already a few things I would like to improve about how I presented this series. There are a lot of other topics I'm planning to cover in the near future but I've added the multi-key topic as something to go through, when this series eventually gets a revision. It's good to know what people are interested in hearing about!