Add a converter from private ssh keys to age

README.md

@@ -204,10 +204,16 @@ $ ssh-keygen -t ed25519
 
 Converting the public key to the age format works like this:
 ```console
-$ nix run -f default.nix sops-ssh-to-age -c sh -c 'ssh-add -L | sops-ssh-to-age'
+$ nix run -f default.nix ssh-pubkey-to-age -c sh -c 'ssh-add -L | ssh-pubkey-to-age'
 ```
 
-Ssh public key files may also be piped into the `sops-ssh-to-age` tool.
+Ssh public key files may also be piped into the `ssh-pubkey-to-age` tool.
+
+Finally, you need to convert your private key to the age format:
+```console
+$ mkdir -p ~/.config/sops
+$ nix run -f default.nix ssh-privkey-to-age -c ssh-privkey-to-age ~/.ssh/id_ed25519 > ~/.config/sops/keys.txt
+```
 
 ### 3a. Get a PGP Public key for your machine
 
@@ -243,11 +249,11 @@ If you prefer having a separate GnuPG key, see [Use with GnuPG instead of ssh ke
 
 ### 3b. Get a age Public key for your machine
 
-The `sops-ssh-to-age` tool is used to convert any ssh public key to the age format.
+The `ssh-pubkey-to-age` tool is used to convert any ssh public key to the age format.
 This way you can convert any key:
 ```console
-$ nix run -f default.nix sops-ssh-to-age -c sh -c 'ssh-keyscan my-server.com | sops-ssh-to-age'
-$ nix run -f default.nix sops-ssh-to-age -c sh -c 'cat /etc/ssh/ssh_host_ed25519_key.pub | sops-ssh-to-age'
+$ nix run -f default.nix ssh-pubkey-to-age -c sh -c 'ssh-keyscan my-server.com | ssh-pubkey-to-age'
+$ nix run -f default.nix ssh-pubkey-to-age -c sh -c 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-pubkey-to-age'
 ```
 
 ### 4. Create a sops file

default.nix

@@ -11,7 +11,8 @@ in rec {
     Also see https://github.com/Mic92/sops-nix/issues/98
   '' pkgs.callPackage ./pkgs/sops-pgp-hook { };
   sops-import-keys-hook = pkgs.callPackage ./pkgs/sops-import-keys-hook { };
-  sops-ssh-to-age = pkgs.callPackage ./pkgs/sops-ssh-to-age { inherit vendorSha256; };
+  ssh-pubkey-to-age = pkgs.callPackage ./pkgs/ssh-pubkey-to-age { inherit vendorSha256; };
+  ssh-privkey-to-age = pkgs.callPackage ./pkgs/ssh-privkey-to-age { inherit vendorSha256; };
   inherit sops-install-secrets;
 
   # backwards compatibility

pkgs/ssh-privkey-to-age/default.nix

@@ -0,0 +1,19 @@
+{ stdenv, lib, buildGoModule, path, pkgs, vendorSha256, go }:
+buildGoModule {
+  pname = "ssh-privkey-to-age";
+  version = "0.0.1";
+
+  src = ../..;
+
+  subPackages = [ "pkgs/ssh-privkey-to-age" ];
+
+  inherit vendorSha256;
+
+  meta = with lib; {
+    description = "Converter that converts SSH private keys into age keys";
+    homepage = "https://github.com/Mic92/sops-nix";
+    license = licenses.mit;
+    maintainers = with maintainers; [ mic92 ];
+    platforms = platforms.linux;
+  };
+}

pkgs/ssh-privkey-to-age/main.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/Mic92/sops-nix/pkgs/sops-install-secrets/agessh"
+)
+
+func main() {
+	if len(os.Args) != 2 {
+		println("Usage: " + os.Args[0] + " [path to ssh private key]")
+		os.Exit(1)
+	}
+
+	sshKey, err := ioutil.ReadFile(os.Args[1])
+	if err != nil {
+		panic(fmt.Errorf("Cannot read ssh key '%s': %w", os.Args[1], err))
+	}
+
+	// Convert the key to bech32
+	bech32, err := agessh.SSHPrivateKeyToBech32(sshKey)
+	if err != nil {
+		panic(fmt.Errorf("Cannot convert ssh key '%s': %w", os.Args[1], err))
+	}
+	fmt.Println(bech32)
+}

pkgs/ssh-pubkey-to-age/default.nix

@@ -1,11 +1,11 @@
 { stdenv, lib, buildGoModule, path, pkgs, vendorSha256, go }:
 buildGoModule {
-  pname = "sops-ssh-to-age";
+  pname = "ssh-pubkey-to-age";
   version = "0.0.1";
 
   src = ../..;
 
-  subPackages = [ "pkgs/sops-ssh-to-age" ];
+  subPackages = [ "pkgs/ssh-pubkey-to-age" ];
 
   inherit vendorSha256;