From 6c916c1f57cde50e4115b608c9e1a67b6bdde8f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Janne=20He=C3=9F?= Date: Sat, 28 Aug 2021 16:24:05 +0200 Subject: [PATCH] Add a converter from private ssh keys to age --- README.md | 16 +++++++---- default.nix | 3 +- pkgs/ssh-privkey-to-age/default.nix | 19 +++++++++++++ pkgs/ssh-privkey-to-age/main.go | 28 +++++++++++++++++++ .../default.nix | 4 +-- .../main.go | 0 6 files changed, 62 insertions(+), 8 deletions(-) create mode 100644 pkgs/ssh-privkey-to-age/default.nix create mode 100644 pkgs/ssh-privkey-to-age/main.go rename pkgs/{sops-ssh-to-age => ssh-pubkey-to-age}/default.nix (84%) rename pkgs/{sops-ssh-to-age => ssh-pubkey-to-age}/main.go (100%) diff --git a/README.md b/README.md index 2c66e58..9ed284a 100644 --- a/README.md +++ b/README.md @@ -204,10 +204,16 @@ $ ssh-keygen -t ed25519 Converting the public key to the age format works like this: ```console -$ nix run -f default.nix sops-ssh-to-age -c sh -c 'ssh-add -L | sops-ssh-to-age' +$ nix run -f default.nix ssh-pubkey-to-age -c sh -c 'ssh-add -L | ssh-pubkey-to-age' ``` -Ssh public key files may also be piped into the `sops-ssh-to-age` tool. +Ssh public key files may also be piped into the `ssh-pubkey-to-age` tool. + +Finally, you need to convert your private key to the age format: +```console +$ mkdir -p ~/.config/sops +$ nix run -f default.nix ssh-privkey-to-age -c ssh-privkey-to-age ~/.ssh/id_ed25519 > ~/.config/sops/keys.txt +``` ### 3a. Get a PGP Public key for your machine @@ -243,11 +249,11 @@ If you prefer having a separate GnuPG key, see [Use with GnuPG instead of ssh ke ### 3b. Get a age Public key for your machine -The `sops-ssh-to-age` tool is used to convert any ssh public key to the age format. +The `ssh-pubkey-to-age` tool is used to convert any ssh public key to the age format. This way you can convert any key: ```console -$ nix run -f default.nix sops-ssh-to-age -c sh -c 'ssh-keyscan my-server.com | sops-ssh-to-age' -$ nix run -f default.nix sops-ssh-to-age -c sh -c 'cat /etc/ssh/ssh_host_ed25519_key.pub | sops-ssh-to-age' +$ nix run -f default.nix ssh-pubkey-to-age -c sh -c 'ssh-keyscan my-server.com | ssh-pubkey-to-age' +$ nix run -f default.nix ssh-pubkey-to-age -c sh -c 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-pubkey-to-age' ``` ### 4. Create a sops file diff --git a/default.nix b/default.nix index 60481c3..3300749 100644 --- a/default.nix +++ b/default.nix @@ -11,7 +11,8 @@ in rec { Also see https://github.com/Mic92/sops-nix/issues/98 '' pkgs.callPackage ./pkgs/sops-pgp-hook { }; sops-import-keys-hook = pkgs.callPackage ./pkgs/sops-import-keys-hook { }; - sops-ssh-to-age = pkgs.callPackage ./pkgs/sops-ssh-to-age { inherit vendorSha256; }; + ssh-pubkey-to-age = pkgs.callPackage ./pkgs/ssh-pubkey-to-age { inherit vendorSha256; }; + ssh-privkey-to-age = pkgs.callPackage ./pkgs/ssh-privkey-to-age { inherit vendorSha256; }; inherit sops-install-secrets; # backwards compatibility diff --git a/pkgs/ssh-privkey-to-age/default.nix b/pkgs/ssh-privkey-to-age/default.nix new file mode 100644 index 0000000..72777fa --- /dev/null +++ b/pkgs/ssh-privkey-to-age/default.nix @@ -0,0 +1,19 @@ +{ stdenv, lib, buildGoModule, path, pkgs, vendorSha256, go }: +buildGoModule { + pname = "ssh-privkey-to-age"; + version = "0.0.1"; + + src = ../..; + + subPackages = [ "pkgs/ssh-privkey-to-age" ]; + + inherit vendorSha256; + + meta = with lib; { + description = "Converter that converts SSH private keys into age keys"; + homepage = "https://github.com/Mic92/sops-nix"; + license = licenses.mit; + maintainers = with maintainers; [ mic92 ]; + platforms = platforms.linux; + }; +} diff --git a/pkgs/ssh-privkey-to-age/main.go b/pkgs/ssh-privkey-to-age/main.go new file mode 100644 index 0000000..d619bba --- /dev/null +++ b/pkgs/ssh-privkey-to-age/main.go @@ -0,0 +1,28 @@ +package main + +import ( + "fmt" + "io/ioutil" + "os" + + "github.com/Mic92/sops-nix/pkgs/sops-install-secrets/agessh" +) + +func main() { + if len(os.Args) != 2 { + println("Usage: " + os.Args[0] + " [path to ssh private key]") + os.Exit(1) + } + + sshKey, err := ioutil.ReadFile(os.Args[1]) + if err != nil { + panic(fmt.Errorf("Cannot read ssh key '%s': %w", os.Args[1], err)) + } + + // Convert the key to bech32 + bech32, err := agessh.SSHPrivateKeyToBech32(sshKey) + if err != nil { + panic(fmt.Errorf("Cannot convert ssh key '%s': %w", os.Args[1], err)) + } + fmt.Println(bech32) +} diff --git a/pkgs/sops-ssh-to-age/default.nix b/pkgs/ssh-pubkey-to-age/default.nix similarity index 84% rename from pkgs/sops-ssh-to-age/default.nix rename to pkgs/ssh-pubkey-to-age/default.nix index 32186a2..ca37518 100644 --- a/pkgs/sops-ssh-to-age/default.nix +++ b/pkgs/ssh-pubkey-to-age/default.nix @@ -1,11 +1,11 @@ { stdenv, lib, buildGoModule, path, pkgs, vendorSha256, go }: buildGoModule { - pname = "sops-ssh-to-age"; + pname = "ssh-pubkey-to-age"; version = "0.0.1"; src = ../..; - subPackages = [ "pkgs/sops-ssh-to-age" ]; + subPackages = [ "pkgs/ssh-pubkey-to-age" ]; inherit vendorSha256; diff --git a/pkgs/sops-ssh-to-age/main.go b/pkgs/ssh-pubkey-to-age/main.go similarity index 100% rename from pkgs/sops-ssh-to-age/main.go rename to pkgs/ssh-pubkey-to-age/main.go