althaea.zone
comment: true title: Deployment Keys Basics description: Deploy a age-encrypted secret with wire tool.#
Deployment Keys Basics#
{{ $frontmatter.description }}
::: tip
For this tutorial we will be using age,
but other encryption CLI tools work just as well such as GnuPG.
:::
Installing age#
Alter your shell.nix to include age:
let
sources = import ./npins;
pkgs = import sources.nixpkgs { };
wire = import sources.wire;
in
pkgs.mkShell {
packages = [
wire.packages.x86_64-linux.wire-small
pkgs.npins
pkgs.git
pkgs.age # [!code ++]
];
shellHook = ''
export NIX_PATH="nixpkgs=${sources.nixpkgs.outPath}"
'';
}
Quit and re-open your shell, and confirm age is now available:
[nix-shell]$ exit
exit
$ nix-shell
[nix-shell]$ age --version
1.2.1
Encrypting a secret#
First create an age private key:
[nix-shell]$ age-keygen -o key.txt
Public key: age1j08s3kmr8zw4w8k99vs4nut5mg03dm8nfuaajuekdyzlujxply5qwsv4g0
::: details Further details on how age works can be found on in the age manual. :::
Now, lets encrypt the words "!! encrypted string !!" with age and save it to the
file top-secret.age.
We will use a pipeline to echo the encrypted string into
age, and use age-keygent -y to give age the public key we generated, then we
use the redirection operator to save the encrypted data to top-secret.age.
[nix-shell]$ echo "encrypted string!" | age --encrypt --recipient $(age-keygen -y key.txt) > top-secret.age
Adding an age-encrypted key#
Now, lets combine our previous command-sourced key with age. Pass the
arguments age --decrypt --identity key.txt ./top-secret.age to wire:
{
deployment.keys = {
# ...
"top-secret" = { # [!code ++]
source = [ # [!code ++]
"age" # [!code ++]
"--decrypt" # [!code ++]
"--identity" # [!code ++]
"key.txt" # [!code ++]
"${./top-secret.age}" # [!code ++]
]; # [!code ++]
}; # [!code ++]
};
}
One wire apply keys later, and you have successfully deployed an encrypted
key:
[root@wire-tutorial:~]# cat /run/keys/top-secret
encrypted string!