From 1c0271bc2abd454bdc1a1c8c4d63408d03b82163 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Sun, 15 Mar 2026 11:22:09 -0400 Subject: [PATCH] removed yubikey --- secrets/README.md | 72 ----------------------------------------------- 1 file changed, 72 deletions(-) diff --git a/secrets/README.md b/secrets/README.md index 56eb406..92e28d4 100644 --- a/secrets/README.md +++ b/secrets/README.md @@ -66,75 +66,3 @@ sops -d secrets/system/wifi.yaml # Update .sops.yaml with new keys, then: sops updatekeys secrets/system/wifi.yaml ``` - -## Migrating to Yubikey - -### 1. Generate a new age identity on Yubikey - -```bash -# Insert Yubikey and run interactive setup -age-plugin-yubikey - -# Follow prompts: -# - Select slot (default: 1) -# - Set PIN policy (default: once per session) -# - Set touch policy (recommended: always) -# -# This generates a NEW key on the Yubikey - you will not know the private key. -# Save the identity to the keys directory: -age-plugin-yubikey --identity > src/user/config/keys/age/yubikey -``` - -The identity file only contains a *reference* to the Yubikey, not the private key. -It will be deployed to `~/.config/sops/age/keys.txt` on rebuild. - -### 2. Update .sops.yaml with Yubikey public key - -```bash -# Get the public key (age1yubikey1...) -age-plugin-yubikey --list - -# Edit .sops.yaml and replace/add the key: -vim .sops.yaml -``` - -```yaml -keys: - - &yubikey age1yubikey1q... # your Yubikey public key - -creation_rules: - - path_regex: secrets/.*\.yaml$ - key_groups: - - age: - - *yubikey -``` - -### 3. Re-key all secrets against the new key - -```bash -# This decrypts with your OLD key and re-encrypts with the NEW key -find secrets -name "*.yaml" -exec sops updatekeys {} \; -``` - -You'll need your old key available during this step. - -### 4. Remove the old age key (optional) - -```bash -# Once all secrets are re-keyed and tested: -# 1. Remove old key from .sops.yaml -# 2. Delete the old key file from the repo: -rm src/user/config/keys/age/local # or whatever your test key was named -``` - -### 5. Test decryption with Yubikey - -```bash -# Should prompt for Yubikey touch/PIN -sops -d secrets/system/wifi.yaml - -# Test a full rebuild -sudo nixos-rebuild switch --flake .#desktop -``` - -If decryption works, your migration is complete.