althaea.zone / wire
ALPHA: wire is a tool to deploy nixos systems wire.althaea.zone/
fork atom
wire / doc / tutorial / part-two / encryption.md
at stable 2.3 kB view raw view rendered
1--- 2comment: true 3title: Deployment Keys Basics 4description: Deploy a age-encrypted secret with wire tool. 5--- 6 7# Deployment Keys Basics 8 9{{ $frontmatter.description }} 10 11::: tip 12For this tutorial we will be using [`age`](https://github.com/FiloSottile/age), 13but other encryption CLI tools work just as well such as GnuPG. 14::: 15 16## Installing age 17 18Alter your shell.nix to include age: 19 20```nix:line-numbers [shell.nix] 21let 22 sources = import ./npins; 23 pkgs = import sources.nixpkgs { }; 24 wire = import sources.wire; 25in 26pkgs.mkShell { 27 packages = [ 28 wire.packages.x86_64-linux.wire-small 29 pkgs.npins 30 pkgs.git 31 pkgs.age # [!code ++] 32 ]; 33 34 shellHook = '' 35 export NIX_PATH="nixpkgs=${sources.nixpkgs.outPath}" 36 ''; 37} 38``` 39 40Quit and re-open your shell, and confirm age is now available: 41 42```sh 43[nix-shell]$ exit 44exit 45$ nix-shell 46[nix-shell]$ age --version 471.2.1 48 49``` 50 51## Encrypting a secret 52 53First create an age private key: 54 55```sh 56[nix-shell]$ age-keygen -o key.txt 57Public key: age1j08s3kmr8zw4w8k99vs4nut5mg03dm8nfuaajuekdyzlujxply5qwsv4g0 58 59``` 60 61::: details 62Further details on how age works can be found on in the 63[age manual](https://man.archlinux.org/man/age.1.en.txt). 64::: 65 66Now, lets encrypt the words `"!! encrypted string !!"` with age and save it to the 67file `top-secret.age`. 68 69We will use a pipeline to echo the encrypted string into 70age, and use `age-keygent -y` to give age the public key we generated, then we 71use the redirection operator to save the encrypted data to `top-secret.age`. 72 73```sh 74[nix-shell]$ echo "encrypted string!" | age --encrypt --recipient $(age-keygen -y key.txt) > top-secret.age 75``` 76 77## Adding an age-encrypted key 78 79Now, lets combine our previous command-sourced key with `age`. Pass the 80arguments `age --decrypt --identity key.txt ./top-secret.age` to wire: 81 82```nix:line-numbers [secrets.nix] 83{ 84 deployment.keys = { 85 # ... 86 87 "top-secret" = { # [!code ++] 88 source = [ # [!code ++] 89 "age" # [!code ++] 90 "--decrypt" # [!code ++] 91 "--identity" # [!code ++] 92 "key.txt" # [!code ++] 93 "${./top-secret.age}" # [!code ++] 94 ]; # [!code ++] 95 }; # [!code ++] 96 }; 97} 98``` 99 100One `wire apply keys` later, and you have successfully deployed an encrypted 101key: 102 103```sh [Virtual Machine] 104[root@wire-tutorial:~]# cat /run/keys/top-secret 105encrypted string! 106 107```