Comparison of secret managing schemes: Difference between revisions

← Older edit

Comparison of secret managing schemes (view source)

Revision as of 14:07, 1 April 2024

518 bytes added , 1 April

drop obsolete link

VisualWikitext

Mic92

Bureaucrats, Interface administrators, Administrators

194

edits

@@ Line 4: / Line 4: @@
 range from user passwords and Wifi passwords over private keys (ssh, ssl, ...)
 to API tokens and similar things. Normally one would store this kind of
-information in files with restricted access writes (only readable by some Unix
+information in files with restricted access rights (only readable by some Unix
 user) or even encrypt them on disk. Nix and NixOS store a lot of information
 in the world-readable Nix store where at least the former is not possible. People who track
@@ Line 14: / Line 14: @@
 machines. This page tries to give an overview of different schemes that can
 be used and outlines the aims, requirements and implications of each.
+This page was created from a [https://discourse.nixos.org/t/comparison-of-different-key-secret-managing-schemes/12001/13 discussion on Discourse] and is likely never complete as people will start new projects to handle secrets in Nix(OS).
 == Definitions ==
@@ Line 40: / Line 42: @@
 == Comparison ==
-In case this table is difficult to read with the default theme, try [https://nixos.wiki/index.php?title=Comparison_of_secret_managing_schemes&useskin=vector#Comparison the vector theme].
 {| class="wikitable"
@@ Line 52: / Line 53: @@
 ! encryption technology
 ! "official" project
+! templating support
 ! notes
 |-
-| [https://hydra.nixos.org/build/115931128/download/1/manual/manual.html#idm140737322649152 NixOps keys]
+| [https://nixops.readthedocs.io/en/latest/overview.html#managing-keys {{ic|deployment.keys.}} options of] [[NixOps]]
-(is there a better link to the docs that does not depend on a hydra build id?)
 | plain value in a nix expression
 |
@@ Line 63: / Line 64: @@
 |
 | yes
+| no
 | "out of band", secret management happens outside of {{ic|nixos-rebuild}}
 |-
-| [https://github.com/ryantm/agenix agenix]
+| [[agenix]]
 | encrypted raw files, {{ic|agenix}} CLI encrypts with the user and host ssh key
 |
@@ Line 73: / Line 75: @@
 | uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}}
 | yes
+| no
 |
 |-
 | [https://github.com/Mic92/sops-nix sops-nix]
-| encrypted with gpg or ssh key
+| encrypted with age, pgp or ssh key, support yubikey when gnupg is used, can be stored in git
 |
 | encrypted
 | decryption
-| stored in {{ic|/run/secrests/}} with configurable permissions
+| stored in {{ic|/run/secrets/}} with configurable permissions
 | uses [https://github.com/mozilla/sops sops]
+| yes
 | yes
 | can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus]
@@ Line 93: / Line 97: @@
 | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
 | yes
+| no
 |
 |-
@@ Line 103: / Line 108: @@
 |
 | yes
+| no
 | see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs]
+|-
+| [https://github.com/platonic-systems/secrix secrix]
+| encrypted raw files, like {{ic|agenix}}
+|
+| encrypted
+| decryption with the host ssh key
+| unencrypted in configured path in {{ic|/run}}
+| uses [https://github.com/FiloSottile/age {{ic|age}}] by default with ssh user and host keys, does not support {{ic|ssh-agent}}
+| yes
+| no
+| Focuses on trying to keep secrets decrypted for a minimal amount of time
 |-
 ! scheme
@@ Line 113: / Line 130: @@
 ! encryption technology
 ! "official" project
+! templates
 ! notes
 |-
-| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
+| [https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
 | plain text file (unencrypted), can be stored in git
 | encryption
@@ Line 123: / Line 141: @@
 | uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine
 | no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
+| no
 | Warning: plaintext is unencrypted in the nix store of the deployment machine
 |-
@@ Line 132: / Line 151: @@
 |
 |
-| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which
+| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
-uses gpg
+| no
 | no
 |
@@ Line 139: / Line 158: @@
 | {{ic|builtins.readfile}}
 {{ic|builtins.exec}}
-discussion
+discussion [https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] about build time secrets
-[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
+| {{ic|builtins.readfile}} can read any file, {{ic|builtins.exec}} can execute commands and thus query any kind of database or password manager etc.
-about build time secrets
-| {{ic|builtins.readfile}} can read any file, {{ic|builtins.exec}} can execute commands and thus query any kind of database or passwordmanager etc
 | these functions return values in a nix expression, it is up to the user what happens to these values in {{ic|configuration.nix}}
 | see "build time"
@@ Line 148: / Line 165: @@
 | see "build time"
 | these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic"
+| no
 | no
 | the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all
@@ Line 161: / Line 179: @@
 ! notes
 |}
+[[Category:Guide]]