Mic92
Allow age.keyFile to be in Nix store
Fragment in question:
https://github.com/Mic92/sops-nix/blob/6e5a38e08a2c31ae687504196a230ae00ea95133/modules/sops/default.nix#L322-L330
I understand the reason for pathNotInStore is to prevent people from accidentally leaking a private key key into the (world-readable) Nix store.
However with some age plugins like age-plugin-tpm for example, the contained blob is mostly useless to attacker today, as the data is sealed with a target host TPM key.
Would it make sense to add an extra option, e.g. "allowKeyInPublicReadableNixStore" which would lift the requirement for age.keyFile to be "pathNotInStore"?
Can we easily detect if age-plugin-tpm is used and then lift that requirement instead?
That should be possible; age-plugin-tpm identities have a unique prefix. We could readFile and parse that:
AGE-PLUGIN-TPM-1QYQQQKQQYVQQKQQZQPEQQQQQZQQPJQQTQQPSQYQQYR92LCDXJ75RJZ9E4T9NUD7[...]
https://github.com/Foxboron/age-plugin-tpm/blob/ff250c13d813b748ad1f88ca5c57ace4858185e8/cmd/age-plugin-tpm/main.go#L36
The public key is also prefixed with age1tpm so that could be an alternative in case e.g. keyFile is not present on the build system. It's a little cumbersome because one would have to get the list of receivers, and that taps into age implementation.
Seems like there was some discussion back in 2024 about it, with a workaround mentioned.
https://github.com/Mic92/sops-nix/pull/534#issuecomment-2079623031
same thing with yubikey plugin - the ID has a format of `AGE-PLUGIN-YUBIKEY-1MZXR5QVZ4S6ZEWS0JA9JA
perhaps a override at your own risk is more generalizable?
