.\" -*- mode: troff; coding: utf-8 -*-
.TH "nix3-key-generate-secret" "1" ""
.RS
.PP
\fBWarning\fR 
.br
This program is
.UR @docroot@/development/experimental-features.md#xp-feature-nix-command
\fBexperimental\fR
.UE
and its interface is subject to change.
.RE
.SH Name
.LP
\f(CRnix key generate-secret\fR - generate a secret key for signing store paths
.SH Synopsis
.LP
\f(CRnix key generate-secret\fR [\fIoption\fR\[u2026]] 
.SH Examples
.IP "\(bu" 3
Generate a new secret key:
.LP
.EX
# nix key generate-secret --key-name cache.example.org-1 > ./secret-key
.EE
.IP
We can then use this key to sign the closure of the Hello package:
.LP
.EX
# nix build nixpkgs#hello
# nix store sign --key-file ./secret-key --recursive ./result
.EE
.IP
Finally, we can verify the store paths using the corresponding
public key:
.LP
.EX
# nix store verify --trusted-public-keys $(nix key convert-secret-to-public < ./secret-key) ./result
.EE
.SH Description
.LP
This command generates a new Ed25519 secret key for signing store
paths and prints it on standard output. Use \f(CRnix key
convert-secret-to-public\fR to get the corresponding public key for
verifying signed store paths.
.PP
The mandatory argument \f(CR--key-name\fR specifies a key name (such as
\f(CRcache.example.org-1\fR). It is used to look up keys on the client when
it verifies signatures. It can be anything, but it’s suggested to use
the host name of your cache (e.g.  \f(CRcache.example.org\fR) with a suffix
denoting the number of the key (to be incremented every time you need
to revoke a key).
.SH Format
.LP
Both secret and public keys are represented as the key name followed
by a base-64 encoding of the Ed25519 key data, e.g.
.LP
.EX
cache.example.org-0:E7lAO+MsPwTFfPXsdPtW8GKui/5ho4KQHVcAGnX+Tti1V4dUxoVoqLyWJ4YESuZJwQ67GVIksDt47og+tPVUZw==
.EE
.SH Options
.IP "\(bu" 3
.UR #opt-key-name
\f(CR--key-name\fR
.UE
\fIname\fR
.IP
Identifier of the key (e.g. \f(CRcache.example.org-1\fR).
.SS
Logging-related options
.IP "\(bu" 3
.UR #opt-debug
\f(CR--debug\fR
.UE
.IP
Set the logging verbosity level to \(oqdebug\(cq.
.IP "\(bu" 3
.UR #opt-log-format
\f(CR--log-format\fR
.UE
\fIformat\fR
.IP
Set the format of log output; one of \f(CRraw\fR, \f(CRinternal-json\fR, \f(CRbar\fR or \f(CRbar-with-logs\fR.
.IP "\(bu" 3
.UR #opt-print-build-logs
\f(CR--print-build-logs\fR
.UE
/ \f(CR-L\fR
.IP
Print full build logs on standard error.
.IP "\(bu" 3
.UR #opt-quiet
\f(CR--quiet\fR
.UE
.IP
Decrease the logging verbosity level.
.IP "\(bu" 3
.UR #opt-verbose
\f(CR--verbose\fR
.UE
/ \f(CR-v\fR
.IP
Increase the logging verbosity level.
.SS
Miscellaneous global options
.IP "\(bu" 3
.UR #opt-help
\f(CR--help\fR
.UE
.IP
Show usage information.
.IP "\(bu" 3
.UR #opt-offline
\f(CR--offline\fR
.UE
.IP
Disable substituters and consider all previously downloaded files up-to-date.
.IP "\(bu" 3
.UR #opt-option
\f(CR--option\fR
.UE
\fIname\fR \fIvalue\fR
.IP
Set the Nix configuration setting \fIname\fR to \fIvalue\fR (overriding \f(CRnix.conf\fR).
.IP "\(bu" 3
.UR #opt-refresh
\f(CR--refresh\fR
.UE
.IP
Consider all previously downloaded files out-of-date.
.IP "\(bu" 3
.UR #opt-version
\f(CR--version\fR
.UE
.IP
Show version information.
.RS
.LP
\fBNote\fR
.PP
See \c
.UR @docroot@/command-ref/conf-file.md#command-line-flags
\f(CRman nix.conf\fR
.UE
for overriding configuration settings with command line flags.
.RE