nix3-key-generate-secret(1) General Commands Manual nix3-key-generate-secret(1)

Warning: This program is experimental and its interface is subject to change.

nix key generate-secret - generate a secret key for signing store paths

nix key generate-secret [option…]

Generate a new secret key:
# nix key generate-secret --key-name > ./secret-key
We can then use this key to sign the closure of the Hello package:
# nix build nixpkgs#hello
# nix store sign --key-file ./secret-key --recursive ./result
Finally, we can verify the store paths using the corresponding public key:
# nix store verify --trusted-public-keys $(nix key convert-secret-to-public < ./secret-key) ./result

This command generates a new Ed25519 secret key for signing store paths and prints it on standard output. Use nix key convert-secret-to-public to get the corresponding public key for verifying signed store paths.

The mandatory argument --key-name specifies a key name (such as It is used to look up keys on the client when it verifies signatures. It can be anything, but it’s suggested to use the host name of your cache (`) with a suffix denoting the number of the key (to be incremented every time you need to revoke a key).

Both secret and public keys are represented as the key name followed by a base-64 encoding of the Ed25519 key data, e.g.

--key-name name
Identifier of the key (e.g.