Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

age-plugin-yubikey support #41

Open
nekowinston opened this issue Jan 12, 2023 · 5 comments
Open

age-plugin-yubikey support #41

nekowinston opened this issue Jan 12, 2023 · 5 comments

Comments

@nekowinston
Copy link

nekowinston commented Jan 12, 2023
edited

Hi there!

Thanks for this project, I'm trying to add support for the rage YubiKey plugin.

What I've tried so far:

home.nix configuration:

{
  homeage = {
    pkg = pkgs.rage;
    identityPaths = [ "${config.home.homeDirectory}/yubikey.txt" ];
    installationType = "activation";
    file."test" = {
      source = ./data.age;
      symlinks = [ "${config.xdg.configHome}/secret" ];
    };
  };
  # ...other config
}

Create the secret data & create ~/yubikey.txt:

echo "foobar" | rage -i ~/yubikey.txt -e > ~/.config/nixpkgs/data.age
age-plugin-yubikey -i > ~/yubikey.txt

Changes to homeage itself:

diff --git a/homeage/default.nix b/homeage/default.nix
index 45b2ea8..df9130a 100644
--- a/homeage/default.nix
+++ b/homeage/default.nix
@@ -37,7 +37,16 @@ with lib; let
   }: let
     linksCmds = createFiles "ln -sf" path symlinks;
     copiesCmds = createFiles "cp -f" path copies;
+    yubikeyPlugin = pkgs.age-plugin-yubikey + "/bin";
+    pinentry = pkgs.pinentry-gtk2 + "/bin";
+    identity = builtins.head cfg.identityPaths;
   in ''
+    PATH="${yubikeyPlugin}:${pinentry}:$PATH"
+    echo "GETTING IDENTITY FILE CONTENT:"
+    cat ${identity}
+    echo "IDENTITIES PROVIDED: ${identities}"
+    echo "YUBIKEYS CONNECTED:"
+    age-plugin-yubikey -l
     echo "Decrypting secret ${source} to ${path}"
     TMP_FILE="${path}.tmp"
     $DRY_RUN_CMD mkdir $VERBOSE_ARG -p $(dirname ${path})

I added in pinentry-gtk2 after finding str4d/rage#280 and assuming that home.activation is unable to open pinentry-curses.

I'm logging the identity file content, identities provided, and yubikeys connected really only as sanity checks, which produces an output like this:

image

On an unrelated note, on macOS I'm getting an error mounting the secret tmpfs:
Edit: just learned about homeage.mount, my bad.
@andrewhamon
Copy link

I'm running into trouble here as well. Ive been trying this config:

{
  homeage = {
    # Wrap rage so that it can discover age-plugin-yubikey
    pkg = pkgs.writeShellApplication {
      name = "rage";
      runtimeInputs = [ pkgs.age-plugin-yubikey ];
      text = ''
        ${pkgs.rage}/bin/rage "$@"
      '';
    };
    identityPaths = [ "${../../secrets/keychain-yubikey-identity.txt}" ];
    installationType = "activation";
    # ... other config
  };
}

The Activating homeageDecryptCheck succeed, and I am prompted for my pin and tap my yubikey. But then during Activating homeageDecrypt rage fails instantly, without even asking for my pin, with Error: No matching keys found. Here is the relevant output:

Activating homeageDecryptCheck
Enter PIN for YubiKey with serial 23597600:
Enter PIN for YubiKey with serial 23597600:
Activating writeBoundary
Activating copyFonts
Activating homeageCleanup
[homeage] Cleaning up decrypted secret: /Users/andrewhamon/.config/secrets/buildkite_api_key
[homeage] Not removing secret file /Users/andrewhamon/.config/secrets/buildkite_api_key because does not exist.
[homeage] Cleaning up decrypted secret: /Users/andrewhamon/.config/secrets/jupyter_token
[homeage] Not removing secret file /Users/andrewhamon/.config/secrets/jupyter_token because does not exist.
[homeage] Finished cleanup of secrets.
Activating homeageDecrypt
Decrypting secret /nix/store/xn2cqjdznsd6gf2adwram15fkyhfph3i-buildkite_api_key.age to /Users/andrewhamon/.config/secrets/buildkite_api_key
Error: No matching keys found

[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report                            ]

@nekowinston
Copy link
Author

FWIW I moved my secret management to Sops-Nix which doesn't have problems with the YubiKey, I can keep using OpenPGP, and it recently got support for HM as well.

I'll leave the issue open, but it's unlikely I'll be able to offer more input.

@andrewhamon
Copy link

and it recently got support for HM as well.

@nekowinston did you get it working on macOS? Looking at the docs it only mentions user-level systemd rather than an activation script.

@nekowinston
Copy link
Author

nekowinston commented Mar 30, 2023
edited

@andrewhamon yes, it uses a launchd script on macOS instead, my config for it is pretty basic: https://github.com/nekowinston/dotfiles/blob/c8403e6b102e75d94ab99705b726cc42814e18fb/home/secrets/sops.nix

@andrewhamon
Copy link

andrewhamon commented Apr 2, 2023
edited

Sadly sops doesn't seem to work with age-plugin-yubikey either. I am hoping to avoid gpg since its seems unnecessarily complex compared to age. sops-nix also seems a decent bit more complex that agenix (which I am using for my nixos hosts)

I tried some debugging by logging the args passed to rage in my wrapper script, but that didn't yield anything significant.

The next step the I can think of would be to use a modified age/age with detailed debugging logs there.

That feels like a fair bit more effort than simply writing my own activation script and invoking that manually, though, so I'll probably do that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewhamon @nekowinston