194
edits
imported>Pacman99 No edit summary |
(drop obsolete link) |
||
(43 intermediate revisions by 10 users not shown) | |||
Line 1: | Line 1: | ||
== Introduction == | == Introduction == | ||
Line 6: | Line 4: | ||
range from user passwords and Wifi passwords over private keys (ssh, ssl, ...) | range from user passwords and Wifi passwords over private keys (ssh, ssl, ...) | ||
to API tokens and similar things. Normally one would store this kind of | to API tokens and similar things. Normally one would store this kind of | ||
information in files with restricted access | information in files with restricted access rights (only readable by some Unix | ||
user) or even encrypt them on disk. Nix and NixOS store a lot of information | user) or even encrypt them on disk. Nix and NixOS store a lot of information | ||
in the world-readable Nix store where at least the former is not possible. People who track | in the world-readable Nix store where at least the former is not possible. People who track | ||
Line 16: | Line 14: | ||
machines. This page tries to give an overview of different schemes that can | machines. This page tries to give an overview of different schemes that can | ||
be used and outlines the aims, requirements and implications of each. | be used and outlines the aims, requirements and implications of each. | ||
This page was created from a [https://discourse.nixos.org/t/comparison-of-different-key-secret-managing-schemes/12001/13 discussion on Discourse] and is likely never complete as people will start new projects to handle secrets in Nix(OS). | |||
== Definitions == | == Definitions == | ||
Line 21: | Line 21: | ||
The properties of the different schemes that are listed in the table below are | The properties of the different schemes that are listed in the table below are | ||
explained in detail here. You are welcome to add more schemes (rows) to the | explained in detail here. You are welcome to add more schemes (rows) to the | ||
table; please try to fill in as many of the properties as you can. | table; please try to fill in as many of the properties as you can. If you add a new column please try to fill it for all existing rows as much as possible. | ||
; scheme | ; scheme | ||
Line 35: | Line 35: | ||
; runtime | ; runtime | ||
: where does the secret reside after system activation, is it encrypted, who can read it | : where does the secret reside after system activation, is it encrypted, who can read it | ||
; encryption technology | |||
: which programs or tools are used for encryption or decryption of secrets; whether {{ic|ssh-agent}}, {{ic|gpg-agent}} or similar are supported | |||
; "official" project | ; "official" project | ||
: whether this is a published software project (maybe even actively developed) or just some notes in a forum or a blog entry | : whether this is a published software project (maybe even actively developed) or just some notes in a forum or a blog entry | ||
== Comparison == | == Comparison == | ||
{| class="wikitable" | {| class="wikitable" | ||
Line 48: | Line 51: | ||
! system activation | ! system activation | ||
! runtime | ! runtime | ||
! encryption technology | |||
! "official" project | ! "official" project | ||
! templating support | |||
! notes | ! notes | ||
|- | |- | ||
| [https:// | | [https://nixops.readthedocs.io/en/latest/overview.html#managing-keys {{ic|deployment.keys.}} options of] [[NixOps]] | ||
| plain value in a nix expression | |||
| plain | |||
| | | | ||
| | | not stored in the store | ||
| ''N/A'' the user has to run {{ic|nixops send-keys}} to create these files after a (manual) reboot (not required after every reboot if destDir is persistent storage) | |||
| unencrypted in {{ic|/run/keys/...}} or configured path | |||
| | | | ||
| yes | | yes | ||
| no | |||
| "out of band", secret management happens outside of {{ic|nixos-rebuild}} | | "out of band", secret management happens outside of {{ic|nixos-rebuild}} | ||
|- | |- | ||
| [ | | [[agenix]] | ||
| encrypted with the | | encrypted raw files, {{ic|agenix}} CLI encrypts with the user and host ssh key | ||
| | | | ||
| encrypted | | encrypted | ||
| decryption with the ssh host | | decryption with the host ssh key | ||
| unencrypted in {{ic|/run/secrets/...}} or configured path | |||
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}} | |||
| yes | |||
| no | |||
| | | | ||
|- | |- | ||
| [https://github.com/Mic92/sops-nix sops-nix] | | [https://github.com/Mic92/sops-nix sops-nix] | ||
| encrypted with age, pgp or ssh key, support yubikey when gnupg is used, can be stored in git | |||
| | | | ||
| | | encrypted | ||
| | | decryption | ||
| | | stored in {{ic|/run/secrets/}} with configurable permissions | ||
| | | uses [https://github.com/mozilla/sops sops] | ||
| yes | |||
| yes | | yes | ||
| | | can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus] | ||
|- | |- | ||
| [https://github.com/krebs/krops krops] | | [https://github.com/krebs/krops krops] | ||
| stored in [https://www.passwordstore.org/ the password store] | |||
| | | | ||
| | | | ||
| | | | ||
| | | | ||
| | | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | ||
| yes | | yes | ||
| no | |||
| | | | ||
|- | |- | ||
| | | [https://github.com/tweag/terraform-nixos terraform-nixos] | ||
[https:// | | value of a nix expression | ||
| | |||
| | | | ||
| stored in {{ic|/var/keys/...}} owned by the {{ic|keys}} unix group | |||
| | | | ||
| | | | ||
| | | | ||
| yes | |||
| no | | no | ||
| | | see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs] | ||
|- | |- | ||
| | | [https://github.com/platonic-systems/secrix secrix] | ||
[https:// | | encrypted raw files, like {{ic|agenix}} | ||
| | |||
| | |||
| | | | ||
| encrypted | |||
| decryption with the host ssh key | |||
| unencrypted in configured path in {{ic|/run}} | |||
| uses [https://github.com/FiloSottile/age {{ic|age}}] by default with ssh user and host keys, does not support {{ic|ssh-agent}} | |||
| yes | |||
| no | | no | ||
| | | Focuses on trying to keep secrets decrypted for a minimal amount of time | ||
|- | |||
! scheme | |||
! pre build | |||
! build time | |||
! {{ic|/nix/store}} (or on disk) | |||
! system activation | |||
! runtime | |||
! encryption technology | |||
! "official" project | |||
! templates | |||
! notes | |||
|- | |- | ||
| [https:// | | [https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1] | ||
| plain text file (unencrypted), can be stored in git | | plain text file (unencrypted), can be stored in git | ||
| encryption | | encryption | ||
| encrypted | | encrypted in the store | ||
| decrypted by a systemd unit | | decrypted by a systemd unit | ||
| | | | ||
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine | |||
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | |||
| no | |||
| Warning: plaintext is unencrypted in the nix store of the deployment machine | |||
|- | |- | ||
| [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog entry 2] | | [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog entry 2] | ||
wrapper around {{ic|pass}} based on [https://github.com/shlevy/nix-plugins nix-plugins] | |||
| stored in [https://www.passwordstore.org/ the password store] | |||
| data is retrieved/decrypted with {{ic|pass}} during evaluation time | |||
| unencrypted in the store | |||
| | | | ||
| | | | ||
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | |||
| no | |||
| no | |||
| | | | ||
| | |- | ||
| | | {{ic|builtins.readfile}} | ||
{{ic|builtins.exec}} | |||
discussion [https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] about build time secrets | |||
| {{ic|builtins.readfile}} can read any file, {{ic|builtins.exec}} can execute commands and thus query any kind of database or password manager etc. | |||
| these functions return values in a nix expression, it is up to the user what happens to these values in {{ic|configuration.nix}} | |||
| see "build time" | |||
| see "build time" | |||
| see "build time" | |||
| these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic" | |||
| no | |||
| no | | no | ||
| | | the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all | ||
|- | |||
! scheme | |||
! pre build | |||
! build time | |||
! {{ic|/nix/store}} (or on disk) | |||
! system activation | |||
! runtime | |||
! encryption technology | |||
! "official" project | |||
! notes | |||
|} | |} | ||
[[Category:Guide]] |