How to using sops-nix to manage SSH/GPG private key

Hello, I’m new in Nixos. Now I have completed the configuration of flake and home-manager.
Previously, I usually store the GPG and SSH keys into my private USB flash drive. But this means that when I installing the new system, I need to manually import these private key. So I find a tool to manage the key and encrypted the key content. Thankfully, many users’ public configurations mention that they use the sops-nix to management secret like private key, WIFI password, and so forth. But when I generated the age’s key and created the .sops.yaml followed sops-nix’s readme, I found that I could not directly manage the SSH/GPG key file by setting. So I want to know what I should do to implement my need?

You don’t necessarily. You could use this USB as a kind of custom hardware token if you use the GNUPGHOME env variable for your gpg key and the IdentityFile setting for your ssh key. You could even use a second USB with derived keys rather than your master key, and use only a GPG key.

How exactly do you intend to keep your keys safe when using sops-nix? I’m not sure I would recommend putting private gpg/ssh keys in a web-accessible git repo, or publicly accessible in the nix store.

You can kind of do it, but at least gpg will complain about file permissions, so you would need to use some systemd service to copy it into place with the right permissions.

You are right. Publishing the private key to the public repo is not a good idea.