Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rekey a single secret? #143

Open
n8henrie opened this issue Feb 3, 2023 · 6 comments
Open

rekey a single secret? #143

n8henrie opened this issue Feb 3, 2023 · 6 comments

Comments

@n8henrie
Copy link
Collaborator

n8henrie commented Feb 3, 2023

It would be nice to be able to rekey a single secret -- just run across this while modifying the list of pubkeys that could access a single secret in a shared directory with other machines' secrets.

Looks like it would be fairly trivial to implement, though obviously would require some user-facing changes to specify which key (e.g. specify with -e, which is what I expected would work initially, vs a different flag if reusing this one is problematic, vs using remaining positional args so users can choose to glob (secret_foo_*.age) if desired).

If this idea is worth entertaining I'm happy to work on a PR.
@n8henrie
Copy link
Collaborator Author

n8henrie commented Feb 3, 2023
edited
Loading

Also, the current behavior succeeds at rekeying keys until it arrives at one it doesn't have the key for, leaving them partially rekeyed, which seems undesirable.

(Looks like it sorts the files alphabetically, so current workaround is renaming the file and attribute of interest accordingly.)

@n8henrie
Copy link
Collaborator Author

Installing a new system today, I again had to resort to copying mykey.age to amykey.age so (alphabetically) it would be rekeyed prior to failing on other files for which the private key wasn't on the local system.

I think using [FILE...] to specify files to rekey would be the best for usability and correctness, default to current behavior (all) if unspecified.

Alternatively just adding a || true would at least work around the need to re-alphabetize things.

Any opinions @ryantm?

@Chickensoupwithrice
Copy link

Chickensoupwithrice commented May 26, 2023
edited
Loading

+1 would really like the ability to specify which keys to rekey, and failing to do so, skipping the failed rekey and continuing the process

@korfuri
Copy link

korfuri commented Aug 13, 2023
edited
Loading

You can also use EDITOR=: agenix -e secret.age which will trigger a rekey.

That's what agenix does under the hood, see:

agenix/pkgs/agenix.sh

Line 193 in d8c973f

EDITOR=: edit "$FILE"

It would be a nice usability bonus to have -r -e just work.

@adamcstephens
Copy link

adamcstephens commented Oct 10, 2023
edited
Loading

It doesn't look like this workaround has worked since #148 was merged. Currently I'm receiving

─❯ EDITOR=: nix run github:ryantm/agenix\?ref=daf42cb35b2dc614d1551e37f96406e4c4a2d3e4#agenix -- --identity $AGE_IDENTITY_FILE --edit core/password.age
Enter PIN for YubiKey with serial 12922790: 
Error: Invalid recipient ''

[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report                            ]

@Lindenk
Copy link

Lindenk commented Apr 19, 2024

Is there an update on this? It's currently pretty much impossible to manage secrets without a master key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@korfuri @n8henrie @adamcstephens @Lindenk @Chickensoupwithrice