age-encrypted secrets for NixOS; drop-in replacement for agenix



ragenix provides age-encrypted secrets for NixOS systems which live in the Nix store and are decrypted on system activation. Using ragenix to create, edit and rekey secrets is possible on any system which has Nix installed—with particular support for NixOS and macOS.

ragenix is a drop-in replacement for @ryantm's agenix written in Rust. It aims at being fully compatible with its flake while offering more robust command line parsing, additional validation logic and solid tests.

As opposed to agenix, ragenix only strives for supporting Nix Flakes.


As ragenix seeks to replace agenix without breaking compatability, getting started with age-encrypted secrets or switching from agenix to ragenix is easy: just follow the original instructions from agenix while replacing references to with Everything else should remain the same as the ragenix package provides aliases for a) an agenix package and b) the agenix binary. The flake also exposes a NixOS module which is passed through from the agenix flake.

Create, edit and rekey secrets

ragenix resembles the command line options and behavior of agenix:

  • By default, ragenix looks for a Nix rules file in ./secrets.nix. You may change this path by setting the RULES environment variable accordingly. As a ragenix addon, you may also use the --rules command line option.
  • The Nix rules reference age-encrypted files relative to the rules file. For example, a ./secrets/secrets.nix file with the following content would instruct ragenix to look for mysecret.age in ./secrets/: { "mysecret.age".publicKeys = "age1hunh4g..."; }.
  • If a file given in the secrets rules does not exist:
    • --edit: the file is created prior to opening it for editing.
    • --rekey: the file is ignored.
  • ragenix opens a file for editing using $EDITOR. Again, you may use --editor instead of the environment variable.
  • Prior to editing/rekeying, ragenix verifies the validity of the rules file using this JSON schema. The schema is also available to third party applications with the --schema command line switch. For an example rules file, please refer to the agenix README or take a look at the files in the example directory of this repository.

The ragenix package also provides shell completions for bash, zsh, and fish. Make sure to install the package with either nix profile install github:yaxitech/ragenix, environment.systemPackages on NixOS or home.packages for home-manager.


We'd love to see PRs from you! Please consider the following guidelines:

  • ragenix stays compatible to agenix. Please make sure your contributions don't introduce breaking changes.
  • The secrets configuration happens through a Nix configuration.
  • New features should support both NixOS and macOS, if applicable.

The CI invokes nix flake check. Some of the checks invoke nix itself. To allow those tests to run nix, you have to enable the recursive-nix feature. On NixOS, you can put the following snippet into your configuration.nix:

  nix = {
    extraOptions = ''
      experimental-features = nix-command flakes recursive-nix
    systemFeatures = [ "recursive-nix" ];

Similar projects / acknowledgements

The agenix-cli project is quite similar to ragenix. In fact, it served as an inspiration (thanks!). Both projects have in common that they aim at replacing the fragile shell script with a version written in Rust. In contrast to ragenix, however, agenix-cli is not compatible to the original agenix. It uses a TOML configuration file to declare rules on a repository level (similar to .sops.yaml). While having a global rules file might be useful for some (particularly if you're looking to switch from sops-nix), we wanted to continue to define our rules using Nix expressions which reside in different directories.

You'll be amazed.
a handy utility to work with encrypted DMGs

edmgutil edmgutil is a simple wrapper utility to hdiutil to help you work with disposable, encrypted DMGs. It can decompress an encrypted ZIP into a n

Sentry 10 Jun 12, 2021
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.3k Jun 15, 2021
WebAssembly wrapper of the rage encryption library

rage-wasm: WebAssembly wrapper of rage rage is a simple, modern, and secure file encryption tool, using the age format. It features small explicit key

Kan-Ru Chen 25 May 24, 2021
Encrypted memories

Diary - Encrypted memories Diary is a TUI program written in Rust for GNU/Linux / *BSD / Android (It probably works on other platforms too, but who ca

Arun Sojan Parolikkal 22 May 31, 2021
An application for creating encrypted vaults for the GNOME desktop.

Vaults An application for creating encrypted vaults for the GNOME desktop. It currently uses gocryptfs and CryFS for encryption. Please always keep a

Martin Pobaschnig 5 Jun 11, 2021
🐴 RusTOTPony — CLI manager of one-time password generators aka Google Authenticator

?? RusTOTPony CLI manager of time-based one-time password generators. It is a desktop alternative for Google Authenticator. Installation Arch Linux Pa

German Lashevich 15 May 5, 2021
The new, performant, and simplified version of Holochain on Rust (sometimes called Holochain RSM for Refactored State Model)

Holochain License: This repository contains the core Holochain libraries and binaries. This is the most recent and well maintained version of Holochai

Holochain 383 Jun 16, 2021
A prototype implementation of the Host Identity Protocol v2 for bare-metal systems, written in pure-rust.

Host Identity Protocol for bare-metal systems, using Rust I've been evaluating TLS replacements in constrained environments for a while now. Embedded

null 17 Jun 11, 2021
Private payments for mobile devices.

MobileCoin Fog This is the README file for MobileCoin Fog. Note to Developers MobileCoin Fog is a prototype. Expect substantial changes before and aft

MobileCoin Foundation 19 May 25, 2021
X25519 elliptic curve Diffie-Hellman key exchange in pure-Rust, using curve25519-dalek.

x25519-dalek A pure-Rust implementation of x25519 elliptic curve Diffie-Hellman key exchange, with curve operations provided by curve25519-dalek. This

dalek cryptography 188 May 21, 2021
Byzantine-fault-tolerant time synchronization

Byztime Byztime is a Byzantine-fault-tolerant protocol for synchronizing time among a group of peers, without reliance on any external time authority.

Akamai Unofficial 30 May 23, 2021
Master Password in Pure Rust

Master Password •••| This is the Rust version of the original found here. This can be used as a drop-in replacement for the reference C version, offer

Rust India 32 Nov 4, 2020
Kerberos protocol attacker

Cerbero Kerberos protocol attacker. Tool to perform several tasks related with Kerberos protocol in an Active Directory pentest. Installation From cra

Eloy 17 Jun 2, 2021
A node and runtime configuration for polkadot node.

MANTA NODE This repo is a fresh FRAME-based Substrate node, forked from substrate-developer-hub/substrate-node-templte ?? It links to pallet-manta-dap

Manta Network 14 Apr 25, 2021