diff --git a/flake.nix b/flake.nix index ff6d08b..5e301c6 100644 --- a/flake.nix +++ b/flake.nix @@ -70,18 +70,11 @@ name = "devShell"; packages = [ just - rclone - age sops - ssh-to-age - git git-crypt gnupg - - yubikey-manager - age-plugin-yubikey ]; }; }; diff --git a/secrets/README.md b/secrets/README.md index 92e28d4..56eb406 100644 --- a/secrets/README.md +++ b/secrets/README.md @@ -66,3 +66,75 @@ sops -d secrets/system/wifi.yaml # Update .sops.yaml with new keys, then: sops updatekeys secrets/system/wifi.yaml ``` + +## Migrating to Yubikey + +### 1. Generate a new age identity on Yubikey + +```bash +# Insert Yubikey and run interactive setup +age-plugin-yubikey + +# Follow prompts: +# - Select slot (default: 1) +# - Set PIN policy (default: once per session) +# - Set touch policy (recommended: always) +# +# This generates a NEW key on the Yubikey - you will not know the private key. +# Save the identity to the keys directory: +age-plugin-yubikey --identity > src/user/config/keys/age/yubikey +``` + +The identity file only contains a *reference* to the Yubikey, not the private key. +It will be deployed to `~/.config/sops/age/keys.txt` on rebuild. + +### 2. Update .sops.yaml with Yubikey public key + +```bash +# Get the public key (age1yubikey1...) +age-plugin-yubikey --list + +# Edit .sops.yaml and replace/add the key: +vim .sops.yaml +``` + +```yaml +keys: + - &yubikey age1yubikey1q... # your Yubikey public key + +creation_rules: + - path_regex: secrets/.*\.yaml$ + key_groups: + - age: + - *yubikey +``` + +### 3. Re-key all secrets against the new key + +```bash +# This decrypts with your OLD key and re-encrypts with the NEW key +find secrets -name "*.yaml" -exec sops updatekeys {} \; +``` + +You'll need your old key available during this step. + +### 4. Remove the old age key (optional) + +```bash +# Once all secrets are re-keyed and tested: +# 1. Remove old key from .sops.yaml +# 2. Delete the old key file from the repo: +rm src/user/config/keys/age/local # or whatever your test key was named +``` + +### 5. Test decryption with Yubikey + +```bash +# Should prompt for Yubikey touch/PIN +sops -d secrets/system/wifi.yaml + +# Test a full rebuild +sudo nixos-rebuild switch --flake .#desktop +``` + +If decryption works, your migration is complete. diff --git a/system/machines/server/modules/backup/default.nix b/system/machines/server/modules/backup/default.nix index cf02ea0..511b332 100644 --- a/system/machines/server/modules/backup/default.nix +++ b/system/machines/server/modules/backup/default.nix @@ -15,15 +15,15 @@ let set -euo pipefail TIMESTAMP=$(date +%Y%m%d-%H%M%S) - BACKUP_NAME="backup-$TIMESTAMP.tar.gz.age" + BACKUP_NAME="backup-$TIMESTAMP.tar.age" TEMP_DIR=$(mktemp -d) trap "rm -rf $TEMP_DIR" EXIT echo "Starting backup: $BACKUP_NAME" echo "Paths: ${concatStringsSep " " cfg.paths}" - export PATH="${pkgs.gzip}/bin:${pkgs.age-plugin-yubikey}/bin:$PATH" - ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-czf - ${concatStringsSep " " tarPaths} | \ + export PATH="${pkgs.age-plugin-yubikey}/bin:$PATH" + ${pkgs.gnutar}/bin/tar -C / ${excludeArgs}-cf - ${concatStringsSep " " tarPaths} | \ ${pkgs.age}/bin/age ${recipientArgs} -o "$TEMP_DIR/$BACKUP_NAME" ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf copy "$TEMP_DIR/$BACKUP_NAME" "${cfg.destination}"