Skip to content

Commit

Permalink
Merge pull request #64 from nicdumz/patch-2
Browse files Browse the repository at this point in the history
  • Loading branch information
oddlama authored Jan 9, 2025
2 parents f5a567b + 9ae0f76 commit 3e2b748
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -261,10 +261,10 @@ This agenix extension also works with FIDO2 keys instead of yubikeys, but you wi
to adjust your setup a little (thanks to @Arbel-arad for pointing this out):
- First you require a FIDO2 key that supports the `hmac-secret` extension, which you can check by running `fido2-token -I`
- Add the necessary plugin by setting `age.rekey.agePlugins = [pkgs.age-plugin-fido2-hmac];`
- Run `age-plugin-fido2-hmac -g` to generate credentials on your FIDO2 key
- If it asks whether you want a separate identity file, pick yes. It will print the recipient address and keygrip.
- Specify the keygrip identity file and provide the public key to agenix-rekey: `age.rekey.masterIdentities = [{ identity = ./mykey.hmac; pubkey = "age123456..."; }];`
- Add the necessary plugin by setting `age.rekey.agePlugins = [pkgs.age-plugin-fido2-hmac];` (consider adding it to your devShell for convenience too).
- Run `age-plugin-fido2-hmac -g > ./mykey.pub` to generate credentials on your FIDO2 key
- When it asks whether you want a separate identity file, pick yes.
- Specify the keygrip identity file and provide the public key to agenix-rekey: `age.rekey.masterIdentities = [ ./mykey.pub ];`
## Secret generation
Expand Down

0 comments on commit 3e2b748

Please sign in to comment.