age.el icon indicating copy to clipboard operation
age.el copied to clipboard
verified publisher icon anticomputer

How can I simulate what `agenix -e` does?

Open ParetoOptimalDev opened this issue 2 years ago • 2 comments

Right now when I create a file test-age-el.age and try to use it with agenix I get:

decrypting '/nix/store/x31pafpiw2a8c07c3amh52gihzag8yqx-testemacsage.age' to '/run/agenix.d/3/testemacsage'...
Error: No matching keys found

I suppose this has to do with my configuration and not having all public keys.

ParetoOptimalDev avatar Aug 01 '23 19:08 ParetoOptimalDev

You just have to get the public keys that age.el does to match the configuration of public keys used in your secrets.nix file. So given:

let
  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
  user2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILI6jSq53F/3hEmSs+oq9L4TwOo1PrDMAgcA1uo1CCV/";
  users = [ user1 user2 ];

  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
  system2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzxQgondgEYcLpcPdJLrTdNgZ2gznOHCAxMdaceTUT1";
  systems = [ system1 system2 ];
in
{
  "secret1.age".publicKeys = [ user1 system1 ];
  "secret2.age".publicKeys = users ++ systems;
}

To modify secret2.age you must have all of users and systems in age-default-recipient if I understand correctly.

This works for me at least, but it's possible you don't need all of them.

ParetoOptimalDev avatar Aug 01 '23 19:08 ParetoOptimalDev

Leaving open in case there are other thoughts, ideas, or if this could be useful documentation.

ParetoOptimalDev avatar Aug 01 '23 19:08 ParetoOptimalDev