agenix-pass a pass compliant

[blaggacao]

For a more unified, devops-dream, future-proof secrets management.

divnix/digga#56

There is the advent of (cheap, as in here-implementation / here-maintenance) FIDO2 integration on the horizon: https://github.com/str4d/age-plugin-yubikey — specifically: str4d/age-plugin-yubikey#1

[ryantm]

I don't understand what this is asking for @blaggacao. It seems to be talking about yubikey and pass. What do you want to store in pass?

[blaggacao]

Thank you for asking. As far as I can remember, this was part of a research stride.

That stride has been driven by a vision to manage pass secrets as part of the nixos host (or home) state via age (instead of gpg). Agenix, in that idea, would provide the api and implementation of how secrets would be stored with a pass-compatible.

The specific link represents a relatively cheap way to unlock any age encrypted secret with a FIDO2 device: an enabler for any age(nix) based pass-compatible.

Since then, there seems to be a specification coming around: https://hackmd.io/@str4d/age-plugin-yubikey

To this end, I'd guess this issue asked for acknowledgment of age-plugin-yubikey, and a general feedback on the (abstract) idea of an agenix-pass. (If that makes sense)

[asymmetric]

There's preliminary support for rage plugins, one of which is for Yubikeys. Until that lands more properly, I don't think there's much to do on agenix's side though.

[blaggacao]

Should we close this? This is not going to be immediatly actionable. I think we are still a few upstream iterations away for crafting well-integrated nixos specific solutions for pass' state.

[blaggacao]

For what it's worth, word is spreading that the state of the age ecosystem might slowly have reached a state where this can be attempted upon.

[pinpox]

Any updates on the yubikey support?