Can sops-nix work with ssh keys?

dragon_logic · August 2, 2025, 11:44pm

To use sops-nix I have to use ssh-to-age to convert all my hosts’ ssh keys to age keys and then add those age keys to the .sops.yaml file. Instead I wish I could just directly add the ssh keys to .sops.yaml but that doesn’t work for me. I wonder why sops-nix can’t just do ssh-to-age on the fly and save me some extra steps?

Here’s the relevant excerpt from my .sops.yaml:

creation_rules:
  - path_regex: secrets\.yaml$
    key_groups:
      - age:
        - *host1_age
        - *host2_age
        - ...

waffle8946 · August 3, 2025, 1:08am

github.com/Mic92/sops-nix

README.md?plain=1

2c8def626


      
          ## Supported encryption methods
          
          sops-nix supports two basic ways of encryption, GPG and `age`.

github.com/Mic92/sops-nix

`sops` can't decrypt when only provided an SSH key path

opened 03:39PM - 16 Dec 24 UTC

3ulalia

I've managed to pare my config down to the following minimal setup: ```nix s…ops.defaultSopsFile = inputs.self.outPath + "/secrets/secrets.yaml"; sops.age.sshKeyPaths = ["/home/eulalia/.ssh/id_ed25519"]; sops.secrets."passwords/eulalia".neededForUsers = true; ``` Then, in my secrets file (~/flake/secrets/secrets.yaml): ```yaml passwords: eulalia: $y$thisisafakepasswordhash ``` And in my sops yaml file (~/.sops.yaml): ```yaml keys: - &eulalia thepublickeytomySSHkeywhenconvertedtoage creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini|sops)$ key_groups: - age: - *eulalia ``` Despite this, when I run `sops ~/flake/secrets/secrets.yaml` it tells me that it is unable to decrypt: ``` eulalia@sunlanii:~/flake/ > sops secrets/secrets.yaml Failed to get the data key required to decrypt the SOPS file. Group 0: FAILED thepublickeytomySSHkeywhenconvertedtoage: FAILED - | failed to load age identities: failed to open file: open | /home/eulalia/.config/sops/age/keys.txt: no such file or | directory ``` The only way to get it to decrypt is to use ssh-to-age to convert my SSH key to an age key and then put it in that location. Why do I have to put my key there? Isn't setting `sops.age.sshKeyPaths` enough? (And yes, I have run `sops updatekeys ~/flake/secrets/secrets.yaml` a number of times. It has not fixed the issue :p) I'm presuming that this is the reason behind a related issue I have - namely, when I set my password as described above, it works until I reboot, at which point I'm unable to login. I presume this is because `sops` is looking for a key file in `~/.config/sops/age/keys.txt` despite it not being there. Thanks!

dragon_logic · August 3, 2025, 1:37am

So it looks like it’s still an open issue which needs to be addressed?

waffle8946 · August 3, 2025, 1:39am

It’s evidently not supported. If you want it to work you’d have to write a patch or some other code yourself.