How can I securely/easily get my secrets to a new host?

I’ve setup a custom ISO with an install script that will install the system from my configuration repository.

Firstly, I need my AGE private key on the ISO if I’m to decoratively set users passwords, because they’re encrypted with sops-nix.

Secondly, after I boot into the new system, obviously neither my configuration repository, and AGE or SSH private keys are on this new system. I then have to manually copy that stuff over to the new machine.

Can I do this in an automated, secure way?

My ideal is that I can easily get up and running again if I have to reinstall my system, or if my computer blows up and I have to move the same configuration to a new one.

nixos-anywhere lets you push some files over ssh to the computer you’re deploying to (--extra-files and --disk-encryption-keys), and place them on the filesystem that it creates. So rather than putting your private key on the ISO, boot a computer with the ISO, ssh into it, and run nixos-anywhere to push your secret to the computer and install NixOS in one go. That will let you both set up your secrets and put your key on the host in a secure, automated way.

Combine this with some of the other settings to be able to step in and run nixos-generate or whatever else you need to do for hardware-specific settings.

I wouldn’t put my configuration repository or ssh private keys on the system with this mechanism, though (totally possible, just tedious and somewhat unnecessary). Rather I’d make the configuration repo available online, accessible through my ssh key if I want to obfuscate it.

As for my ssh key, I store that on a yubikey, which both solves the encryption chicken-and-egg problem and adds an extra auth layer. Given how important ssh keys are, if I did not have a yubikey I would generate a new one every time I set up a new computer, and simply register that new key with all services I need to be accessible from that computer, perhaps writing a script to automate that.

1 Like

That makes sense. I came up with an alternative that might be easier, but I don’t know if it would work. Could I have my AGE, and SSH keys stored on a YubiKey, plug that in, and copy them over to the new system before doing an install? I don’t know if I can copy things off a YubiKey though.

Edit: I guess I could also just have an encrypted thumbdrive with my AGE and SSH key. Is that a bad idea?

No, that’s the point of a yubikey. It does cryptographic operations with keys stored on it, and passes the results back to your computer. In other words, as long as your yubikey is connected (via usb, nfc, etc.), you can use those keys, but the keys can never be extracted again.

Yep. Copying over USB is not particularly different from just copying the files over ssh though.

You can also make a less high-tech “yubikey” with an encrypted USB drive.

Oh, I get it. So, I could have my AGE and SSH keys on my YubiKey, plug it in before the installation process, and then I just keep it plugged in when I need to do things with those keys?

I see that it’s possible to get your AGE key onto a YubiKey, but do you know how to use it with sops-nix?