We manage secrets on our machines using agenix. Most of our setup was created using Sawyer Shepherd's amazing blog post about agenix which can be found here.
Let's say you're adding an encrypted secret called my secret. To do that, modify
secrets.nix in this directory to reference my-secret.age (take a look at the
other secrets in the file to see how to do that) and then run
agenix -e my-secret.age in the same directory as secrets.nix. Once you save,
it will automatically be encrypted in a way that allows all users' keys from
./authorized_keys.nix and all systems mentioned in ./secrets.nix to decrypt
it.
You can only decrypt secrets that have been encrypted for you. If your public
key isn't in ./authorized_keys.nix, then you will not be able to decrypt the
key, and must first add your user.
To decrypt a secret, use agenix -d my-secret.age and it will print it out.
To allow a new user to decrypt the keys:
- Add their public key to
./authorized_keys.nix. - Rekey the secrets with
agenix -r.
You must complete these steps from a device that can already decrypt the secrets, or else it will not be able to decrypt them in order to rekey them.