Allow age.keyFile to be in Nix store

[dotdoom]

Fragment in question:

sops-nix/modules/sops/default.nix

Lines 322 to 330 in 6e5a38e

	age = {
	keyFile = lib.mkOption {
	type = lib.types.nullOr pathNotInStore;
	default = null;
	example = "/var/lib/sops-nix/key.txt";
	description = ''
	Path to age key file used for sops decryption.
	'';
	};

I understand the reason for pathNotInStore is to prevent people from accidentally leaking a private key key into the (world-readable) Nix store.

However with some age plugins like age-plugin-tpm for example, the contained blob is mostly useless to attacker today, as the data is sealed with a target host TPM key.

Would it make sense to add an extra option, e.g. "allowKeyInPublicReadableNixStore" which would lift the requirement for age.keyFile to be "pathNotInStore"?

[SuperSandro2000]

Can we easily detect if age-plugin-tpm is used and then lift that requirement instead?

[dotdoom]

That should be possible; age-plugin-tpm identities have a unique prefix. We could readFile and parse that:

AGE-PLUGIN-TPM-1QYQQQKQQYVQQKQQZQPEQQQQQZQQPJQQTQQPSQYQQYR92LCDXJ75RJZ9E4T9NUD7[...]

https://github.com/Foxboron/age-plugin-tpm/blob/ff250c13d813b748ad1f88ca5c57ace4858185e8/cmd/age-plugin-tpm/main.go#L36

[dotdoom]

The public key is also prefixed with age1tpm so that could be an alternative in case e.g. keyFile is not present on the build system. It's a little cumbersome because one would have to get the list of receivers, and that taps into age implementation.

[dotdoom]

Seems like there was some discussion back in 2024 about it, with a workaround mentioned.

#534 (comment)

[xela-zone]

same thing with yubikey plugin - the ID has a format of `AGE-PLUGIN-YUBIKEY-1MZXR5QVZ4S6ZEWS0JA9JA

perhaps a override at your own risk is more generalizable?