2023-09-13 09:15:06 +00:00
# Managing Secrets with Clan
2023-08-24 12:52:09 +00:00
2023-09-13 09:15:06 +00:00
Clan enables encryption of secrets within a Clan flake, ensuring secure sharing among users.
This documentation will guide you through managing secrets with the Clan CLI,
which utilizes the [sops ](https://github.com/getsops/sops ) format and
integrates with [sops-nix ](https://github.com/Mic92/sops-nix ) on NixOS machines.
## 1. Generating Keys and Creating Secrets
To begin, generate a key pair:
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:15:06 +00:00
$ clan secrets key generate
```
**Output**:
```
Public key: age1wkth7uhpkl555g40t8hjsysr20drq286netu8zptw50lmqz7j95sw2t3l7
Generated age private key at '/home/joerg/.config/sops/age/keys.txt' for your user.
Generated age private key at '/home/joerg/.config/sops/age/keys.txt' for your user. Please back it up on a secure location or you will lose access to your secrets.
Also add your age public key to the repository with 'clan secrets users add youruser age1wkth7uhpkl555g40t8hjsysr20drq286netu8zptw50lmqz7j95sw2t3l7' (replace you
user with your user name)
```
⚠️ **Important** : Backup the generated private key securely, or risk losing access to your secrets.
Next, add your public key to the Clan flake repository:
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:19:32 +00:00
$ clan secrets users add < your_username > < your_public_key >
```
2023-09-13 09:15:06 +00:00
Doing so creates this structure in your Clan flake:
```
sops/
└── users/
└── < your_username > /
└── key.json
```
Now, to set your first secret:
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:15:06 +00:00
$ clan secrets set mysecret
Paste your secret:
```
Note: As you type your secret, keypresses won't be displayed. Press Enter to save the secret.
Retrieve the stored secret:
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:15:06 +00:00
$ clan secrets get mysecret
```
And list all secrets like this:
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:15:06 +00:00
$ clan secrets list
```
Secrets in the repository follow this structure:
```
sops/
├── secrets/
│ └── < secret_name > /
│ ├── secret
│ └── users/
│ └── < your_username > /
```
The content of the secret is stored encrypted inside the `secret` file under `mysecret` .
By default, secrets are encrypted with your key to ensure readability.
## 2. Adding Machine Keys
New machines in Clan come with age keys stored in `./sops/machines/<machine_name>` . To list these machines:
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:15:06 +00:00
$ clan secrets machines list
```
For existing machines, add their keys:
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-19 09:04:33 +00:00
$ clan secrets machines add < machine_name > < age_key >
2023-09-13 09:15:06 +00:00
```
To fetch an age key from an SSH host key:
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:15:06 +00:00
$ ssh-keyscan < domain_name > | nix shell nixpkgs#ssh-to-age -c ssh-to-age
```
## 3. Assigning Access
By default, secrets are encrypted for your key. To specify which users and machines can access a secret:
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:21:19 +00:00
$ clan secrets set --machine < machine1 > --machine < machine2 > --user < user1 > --user < user2 > < secret_name >
2023-09-13 09:15:06 +00:00
```
You can add machines/users to existing secrets without modifying the secret:
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:21:19 +00:00
$ clan secrets machines add-secret < machine_name > < secret_name >
2023-09-13 09:15:06 +00:00
```
## 4. Utilizing Groups
For convenience, Clan CLI allows group creation to simplify access management. Here's how:
1. **Creating Groups** :
Assign users to a new group, e.g., `admins` :
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:21:19 +00:00
$ clan secrets groups add admins < username >
2023-09-13 09:15:06 +00:00
```
2. **Listing Groups** :
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:21:19 +00:00
$ clan secrets groups list
2023-09-13 09:15:06 +00:00
```
3. **Assigning Secrets to Groups** :
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-13 09:21:19 +00:00
$ clan secrets groups add-secret < group_name > < secret_name >
2023-09-13 09:15:06 +00:00
```
2023-09-21 13:32:56 +00:00
# NixOS integration
2023-09-22 10:04:13 +00:00
A NixOS machine will automatically import all secrets that are encrypted for the
current machine. At runtime it will use the host key to decrypt all secrets into
a in-memory, non-persistent filesystem using
[sops-nix ](https://github.com/Mic92/sops-nix ). In your nixos configuration you
can get a path to secrets like this `config.sops.secrets.<name>.path` . Example:
```nix
{ config, ...}: {
sops.secrets.my-password.neededForUsers = true;
users.users.mic92 = {
isNormalUser = true;
passwordFile = config.sops.secrets.my-password.path;
};
}
```
See the [readme ](https://github.com/Mic92/sops-nix ) of sops-nix for more
examples.
2023-09-21 13:32:56 +00:00
# Importing existing sops-based keys / sops-nix
`clan secrets` stores each secrets in a single file, whereas [sops ](https://github.com/Mic92/sops-nix )
commonly allows to put all secrets in a yaml or json documents.
2024-03-06 12:11:49 +00:00
If you already happened to use sops-nix, you can migrate by using the `clan secrets import-sops` command by importing these documents:
2023-09-21 13:32:56 +00:00
2023-09-26 13:49:45 +00:00
```shellSession
2023-09-21 13:32:56 +00:00
% clan secrets import-sops --prefix matchbox- --group admins --machine matchbox nixos/matchbox/secrets/secrets.yaml
```
This will create secrets for each secret found in `nixos/matchbox/secrets/secrets.yaml` in a ./sops folder of your repository.
Each member of the group `admins` will be able
Since our clan secret module will auto-import secrets that are encrypted for a particular nixos machine,
you can now remove `sops.secrets.<secrets> = { };` unless you need to specify more options for the secret like owner/group of the secret file.
