Using Age Plugins with Clan Vars

This guide explains how to set up YubiKey and other plugins for clan vars secrets.

By default the clan vars subcommand uses the age encryption tool, which supports various plugins.

Supported Age Plugins

Below is a list of popular age plugins you can use with Clan. (Last updated: September 12, 2025)

Note: Plugins marked with 🧪 are experimental. Plugins marked with ⭐️ are official.

Using Plugin-Generated Keys

If you want to use fido2 tokens to encrypt your secret instead of the normal age secret key then you need to prefix your age secret key with the corresponding plugin name. In our case we want to use the age-plugin-fido2-hmac plugin so we replace AGE-SECRET-KEY with AGE-PLUGIN-FIDO2-HMAC.

Tip
  • On Linux the age secret key is located at ~/.config/sops/age/keys.txt
  • On macOS it is located at /Users/admin/Library/Application Support/sops/age/keys.txt

Before:

# public key: age1zdy49ek6z60q9r34vf5mmzkx6u43pr9haqdh5lqdg7fh5tpwlfwqea356l
AGE-SECRET-KEY-1QQPQZRFR7ZZ2WCV...

After:

# public key: age1zdy49ek6z60q9r34vf5mmzkx6u43pr9haqdh5lqdg7fh5tpwlfwqea356l
AGE-PLUGIN-FIDO2-HMAC-1QQPQZRFR7ZZ2WCV...

Configuring Plugins in flake.nix

To use age plugins with Clan, you need to configure them in your flake.nix file. Here’s an example:

flake.nix{
  inputs.clan-core.url = "https://git.clan.lol/clan/clan-core/archive/25.11.tar.gz";
  inputs.nixpkgs.follows = "clan-core/nixpkgs";

  outputs = { self, clan-core, ... }:
  let
    # Define Clan configuration
    clan = clan-core.lib.clan {
      inherit self;

      meta.name = "myclan";
      meta.domain = "ccc";

      # Add YubiKey and FIDO2 HMAC plugins
      # Note: Plugins must be available in nixpkgs.
      secrets.age.plugins = [
        "age-plugin-yubikey"
        "age-plugin-fido2-hmac"
      ];

      machines = {
        # Machine configurations (omitted for brevity)
      };
    };
  in
  {
    inherit (clan) nixosConfigurations nixosModules clanInternals;
  };
}