Deployment Keys Basics
Deploy a age-encrypted secret with wire tool.
TIP
For this tutorial we will be using age, but other encryption CLI tools work just as well such as GnuPG.
Installing age
Alter your shell.nix to include age:
let
sources = import ./npins;
pkgs = import sources.nixpkgs { };
wire = import sources.wire;
in
pkgs.mkShell {
packages = [
wire.packages.x86_64-linux.wire-small
pkgs.npins
pkgs.git
pkgs.age
];
shellHook = ''
export NIX_PATH="nixpkgs=${sources.nixpkgs.outPath}"
'';
}Quit and re-open your shell, and confirm age is now available:
[nix-shell]$ exit
exit
$ nix-shell
[nix-shell]$ age --version
1.2.1Encrypting a secret
First create an age private key:
[nix-shell]$ age-keygen -o key.txt
Public key: age1j08s3kmr8zw4w8k99vs4nut5mg03dm8nfuaajuekdyzlujxply5qwsv4g0Details
Further details on how age works can be found on in the age manual.
Now, lets encrypt the words "!! encrypted string !!" with age and save it to the file top-secret.age.
We will use a pipeline to echo the encrypted string into age, and use age-keygent -y to give age the public key we generated, then we use the redirection operator to save the encrypted data to top-secret.age.
[nix-shell]$ echo "encrypted string!" | age --encrypt --recipient $(age-keygen -y key.txt) > top-secret.ageAdding an age-encrypted key
Now, lets combine our previous command-sourced key with age. Pass the arguments age --decrypt --identity key.txt ./top-secret.age to wire:
{
deployment.keys = {
# ...
"top-secret" = {
source = [
"age"
"--decrypt"
"--identity"
"key.txt"
"${./top-secret.age}"
];
};
};
}One wire apply keys later, and you have successfully deployed an encrypted key:
[root@wire-tutorial:~]# cat /run/keys/top-secret
encrypted string!