age & agenix #
age #
Alternative implementation in rust: rage, it includes
rage-mount tool and ssh feature (reusing SSH key file).
$ age-keygen --help
# check command options, simple and helpful
$ age --help
$ cat /etc/hostname
a34
# encrypt /etc/hostname into /tmp/hostname.age
$ age --armor -R ~/.ssh/id_ed25519.pub /etc/hostname > /tmp/hostname.age
# decrypt
$ age -d -i ~/.ssh/id_ed25519 -o /tmp/hostname.age /tmp/hostname.age
# github keys
$ curl https://github.com/emctoo.keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICadLJygz4Im8wrekaV/hNFLDN59iIIObpBu3GYKlIZm
# encrypt when github keys
$ curl https://github.com/emctoo.keys | age --armor -R - /etc/hostname
# use passphrass
# you will be prompted for password or a password is generated for you
$ age -p -o hostname.age /etc/hostname
Linux 的 host keys #
主机上都包含了 host keys:
$ ls /etc/ssh/*_key
/etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key
$ ls /etc/ssh/*_key*pub
/etc/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_rsa_key.pub
或者 user 自己 ~/.ssh/ 下的 keys.
agenix #
用 secrets.nix 记录了哪些 secrets 用哪个 key 加密.