We use sops-nix to store the env files
The Core Idea is we store our secrets in an encrypted file in a structured format like json or yaml and for decrypting this we use a cryptographic key and to make it more secure we can use multiple keys for the same file to decrypt or we can also use multiple keys at once to decrypt a single encrypted file
For now we build an system in which out secrets are stored in encrypted file and to use them we can use multiple keys(one key is enough to decrypt) such that we can access that file via multiple hosts and even if one key is eliminated and changed, we have other keys access the secrets
Let’s consider a secrets file
private_keys:
ta: |
--BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACCSIPKTIZMLEYZ26wTL76VyfrW7Uw/uYcPiWSLbyPZ94AAAAJDrHCVI6xwl SAAAAAtzc2gtZWQyNTUxOQAAACC5IPkTIZMLEYZ26wTL76VyfrW7Uw/uYcPiWSLbyPZ94A AAAECvRDj9iuaBonSpgR1bbnJLILItAarTAD43XuSqEQ4qZrkg+RMhkwsRhnbxBMvvpXJ+ tbtTD+5hw+JZItvI9n3gAAAAB3RhQGR1bW8BAgMEBQY-
-----END OPENSSH PRIVATE KEY...
msmtp-password: 8190hnp; GjkErfsZta
password: $y$j9T$/ko5Q8PIXJFWc/xDdSD3p.$wM2XsHk/I9GR1lonJKGKwSxjN05nqPbgV/s11ax5zbAThis file will be encrypted with the secret defined in sops configuration file
keys:
- &users:
- &ta agelzudd9t2sp26q5j0te6ypqzyzsj8ggxphst2vpyfhpphd8puq7gfsh5sq2q
- &hosts:
- &guppy agelyrw@q3kppccvcdyd5zd5sz399dp053mn22w9kxccet8sk60q3d5qhqejv9
- &host2 age1u680aw024d48fagsu3j9@ppcy9mzkg16c9z0vnxj6831wpnjw5sscgsxzj
creation_rules:
- path_regex: secrets.yaml$
key_groups:
- age:
- *ta
- *guppy
- *host2Now to access the secrets we generate cryptographic keys, and they’re two types: Public and private keys, and together we can call them access keys
There can be many types of keys and they can differ in two ways(broadly):
- Key format can be either
pgporage - Origin of the keys can be different
- Key generated for something else, but using for current use
- Stand Along key generated solely for this use
- Key derived from an existing SSH key
For now we can use age key because it’s uses RSA where pgp uses ed25519 and we derive the keys from existing SSH key rather creating fresh because we can derive the keys from hosts encryption key that makes things simple and secure and this also gives us an escape hatch(exit) whenever a key fails on a host machine for some reason
Steps to setup
- Create the default directory to store the secrets that sops-nix expects(can change)
mkdir -p ~/.config/sops/age - Install
age-keygenand run the command via nix shell to generate the keynix-shell -p age-keygen --run "age-keygen -o-/.config/sops/age/key.txt" - Add the public key generated by the above command to
.sopa.yamlwith additional detailskeys: - &sadiq <public_key> creation_rules: - path_regex: secrets.yaml$ key_groups: - age: - *sadiq # here we point the username that mentioned above - Making sure that our current host machine allows connections using SSH keys(either by ed25519 or any other encryption), we check it by seeing is there any encryption key present in
/etc/sshwe need to see files of regexssh_host_*_key,ssh_host_*_key.pub - To convert the public SSH key to a Age Access key we use nix shell and pull in the SSH key and pipe into the tool which spits out the Age Access keys
nix-shell -p ssh-to-age-run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age' - Now we can add the generated key into
.sops.yamlkeys: - &users - &sadiq <public_key> - &hosts - &mac <access_key> creation_rules: - path_regex: secrets.yaml$ key_groups: - age: - *sadiq # here we point the username that mentioned above - *mac - Now we can create the secrets file using sops, which take the defaults we’ve given
sops secrets.yaml
This creates a empty secrets file that we can add values inside and this is encrypted and to edit this we can only use the same command, and if opened via any other text editing tool it will not work