sys/boot: luks-ext4-fscrypt-impermanence: replace openssl with rage

author: Alejandro Soto <alejandro@34project.org> 2026-04-02 19:34:53 -0600
committer: Alejandro Soto <alejandro@34project.org> 2026-04-02 23:33:02 -0600
commit: 399da96059c2b7a8a3ca66896d069d1234f80294 (patch)
tree: a8457c512749c1e8509bd514f3c275af49e740f6 /sys/boot/stack
parent: b23ac78ed1d1da58ccf566416fd5b5e42185fac0 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
index 81feb60..7905da3 100644
--- a/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
+++ b/sys/boot/stack/luks-ext4-fscrypt-impermanence.nix
@@ -52,9 +52,10 @@ in {
       key_id=$(${fscryptctl} add_key /mnt-toplevel </boot-key)
       ${fscryptctl} set_policy "$key_id" "$root_from_toplevel"
       (umask 077; test -f /mnt-toplevel/boot-archive.pub && \
-        ${pkgs.openssl}/bin/openssl pkeyutl -encrypt \
-        -in /boot-key -pubin -inkey /mnt-toplevel/boot-archive.pub \
-        -out "/mnt-toplevel/boot-keys/$boot_stamp.key.crypt")
+        ${getExe pkgs.rage} -ae \
+          -R /mnt-toplevel/boot-archive.pub \
+          -o "/mnt-toplevel/boot-keys/$boot_stamp.key.age" \
+          /boot-key)
       rm -f /boot-key
 
       ln -Tsf "$boot_stamp" /mnt-toplevel/boots/last
author	Alejandro Soto <alejandro@34project.org>	2026-04-02 19:34:53 -0600
committer	Alejandro Soto <alejandro@34project.org>	2026-04-02 23:33:02 -0600
commit	399da96059c2b7a8a3ca66896d069d1234f80294 (patch)
tree	a8457c512749c1e8509bd514f3c275af49e740f6 /sys/boot/stack
parent	b23ac78ed1d1da58ccf566416fd5b5e42185fac0 (diff)