Document age usage

[jtrakk]

Sops recently got age support. Is it possible to use age with sops-nix?

[Mic92]

I have not tested it yet. It should be possible by using SOPS_AGE_KEY_FILE as described here https://github.com/mozilla/sops/pull/688/files#diff-7b3ed02bc73dc06b7db906cf97aa91dec2b2eb21f2d92bc5caa761df5bbc168fR181
This would require to also update sops here:

sops-nix/go.mod

Line 7 in 797e755

go.mozilla.org/sops/v3 v3.5.0

[jtrakk]

Where should I set the SOPS_AGE_KEY_FILE variable? If I just do it in the shell where I run nixos-rebuild, sops won't see it.

[Mic92]

I think we need to extend the module and set it here:

sops-nix/modules/sops/default.nix

Line 160 in 797e755

${optionalString (cfg.gnupgHome != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${checkedManifest}

[jtrakk]

For reference the good rev is this PR getsops/sops#788 that uses the armor format. The earlier one on sops develop branch doesn't work reliably.

[Mic92]

I hope I get to implementing converting ssh ed25519 keys to sops/age keys soon similar how it was done for gpg.

[jtrakk]

Age natively supports ssh keys, but the Sops PR that adds Age doesn't include the ssh keys feature.

[Mic92]

Age natively supports ssh keys, but the Sops PR that adds Age doesn't include the ssh keys feature.

That's not an issue. In my implementation for sops-install-secrets I already do the ssh rsa to pgp key conversion. For age that could be applied in the same way.

[Mic92]

Proper age support comes here: #95