feature: add post-quantum age (>=1.3.0) support #366
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nixpkgs 25.11 also needs nix >=2.18, thus bumping the actions versions.
Also handling:
```
error: 'nixosTest' has been renamed to/replaced by 'testers.nixosTest'
```
and
```
error:
nix-darwin now uses release branches that correspond to Nixpkgs releases.
The nix-darwin and Nixpkgs branches in use must match, but you are currently
using nix-darwin 26.05 with Nixpkgs 25.11.
On macOS, you should use either the `nixpkgs-unstable` or
`nixpkgs-YY.MM-darwin` branches of Nixpkgs. These correspond to the
`master` and `nix-darwin-YY.MM` branches of nix-darwin, respectively. Check
<https://status.nixos.org/> for the currently supported Nixpkgs releases.
```
and
```
evaluation warning: user1 profile: You are using
Home Manager version 26.05 and
Nixpkgs version 25.11.
Using mismatched versions is likely to cause errors and unexpected
behavior. It is therefore highly recommended to use a release of Home
Manager that corresponds with your chosen release of Nixpkgs.
```
and
```
error:
Failed assertions:
- The `system.activationScripts.extraUserActivation` option has
been removed, as all activation now takes place as `root`. Please
restructure your custom activation scripts appropriately,
potentially using `sudo` if you need to run commands as a user.
```
Also update darwin CI: remove deprecated activate-user and handle /etc
files for nix-darwin 25.11.
Add transparent support for post-quantum hybrid age keys (generated with age-keygen -pq). The agenix CLI now auto-detects age identity files in ~/.ssh/age.key and ~/.config/age/*.key, and the default identityPaths in both NixOS and home-manager modules now include ~/.ssh/age.key (and /etc/ssh/age.key for NixOS). Note: This commit requires nixpkgs with age >=1.3.0 (e.g., nixpkgs 25.11+ with updated flake.lock from a prior commit). Changes: - pkgs/agenix.sh: Add detection of age identity files for decryption - modules/age.nix: Add /etc/ssh/age.key to default identityPaths - modules/age-home.nix: Add ~/.ssh/age.key to default identityPaths - Add post-quantum test keys and encrypted secret for integration testing - Update documentation to mention post-quantum key usage Post-quantum keys (AGE-SECRET-KEY-PQ-1) provide protection against future quantum attacks using ML-KEM-768 + X25519 hybrid encryption.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add transparent support for post-quantum hybrid age keys (generated with age-keygen -pq). The agenix CLI now auto-detects age identity files in ~/.ssh/age.key and ~/.config/age/*.key, and the default identityPaths in both NixOS and home-manager modules now include ~/.ssh/age.key (and /etc/ssh/age.key for NixOS).
Changes:
Post-quantum keys (AGE-SECRET-KEY-PQ-1) provide protection against future quantum attacks using ML-KEM-768 + X25519 hybrid encryption.
This PR contains two commits: