Managing gnupg secret key with sops-nix and home-manager

I found this thread: How to using sops-nix to manage SSH/GPG private key, but that discussion didn’t go very far.

My setup involves using a “main” age key used to encrypt all other secrets with sops. The encrypted secrets are committed to a git repository. Everything else (user password, ssh keys, email passwords, etc.) are pretty simple, but I’m stuck on managing gpg secret keys with home-manager.

I guess I could write an home-manager activation script that imports the key from a location that sops-nix decrypts to, but I’m not really familiar with either nix or gnupg so I don’t know how to make it without side-effects. Does anyone have an example setup where they are managing gnupg secret keys with sops-nix? Or should I write a home-manager module instead to provide home.gpg.secretKeys in addition to public ones?

1 Like