Comparison of secret managing schemes: Difference between revisions

← Older edit

Comparison of secret managing schemes (view source)

Revision as of 14:07, 1 April 2024

301 bytes added , 1 April

drop obsolete link

VisualWikitext

Mic92

Bureaucrats, Interface administrators, Administrators

194

edits

@@ Line 42: / Line 42: @@
 == Comparison ==
-In case this table is difficult to read with the default theme, try [https://nixos.wiki/index.php?title=Comparison_of_secret_managing_schemes&useskin=vector#Comparison the vector theme].
 {| class="wikitable"
@@ Line 54: / Line 53: @@
 ! encryption technology
 ! "official" project
+! templating support
 ! notes
 |-
@@ Line 64: / Line 64: @@
 |
 | yes
+| no
 | "out of band", secret management happens outside of {{ic|nixos-rebuild}}
 |-
-| [https://github.com/ryantm/agenix agenix]
+| [[agenix]]
 | encrypted raw files, {{ic|agenix}} CLI encrypts with the user and host ssh key
 |
@@ Line 74: / Line 75: @@
 | uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}}
 | yes
+| no
 |
 |-
 | [https://github.com/Mic92/sops-nix sops-nix]
-| encrypted with age, pgp or ssh key, support yubikey when gnupg is used
+| encrypted with age, pgp or ssh key, support yubikey when gnupg is used, can be stored in git
 |
 | encrypted
 | decryption
-| stored in {{ic|/run/secrests/}} with configurable permissions
+| stored in {{ic|/run/secrets/}} with configurable permissions
 | uses [https://github.com/mozilla/sops sops]
+| yes
 | yes
 | can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus]
@@ Line 94: / Line 97: @@
 | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
 | yes
+| no
 |
 |-
@@ Line 104: / Line 108: @@
 |
 | yes
+| no
 | see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs]
+|-
+| [https://github.com/platonic-systems/secrix secrix]
+| encrypted raw files, like {{ic|agenix}}
+|
+| encrypted
+| decryption with the host ssh key
+| unencrypted in configured path in {{ic|/run}}
+| uses [https://github.com/FiloSottile/age {{ic|age}}] by default with ssh user and host keys, does not support {{ic|ssh-agent}}
+| yes
+| no
+| Focuses on trying to keep secrets decrypted for a minimal amount of time
 |-
 ! scheme
@@ Line 114: / Line 130: @@
 ! encryption technology
 ! "official" project
+! templates
 ! notes
 |-
-| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
+| [https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
 | plain text file (unencrypted), can be stored in git
 | encryption
@@ Line 124: / Line 141: @@
 | uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine
 | no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
+| no
 | Warning: plaintext is unencrypted in the nix store of the deployment machine
 |-
@@ Line 134: / Line 152: @@
 |
 | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
+| no
 | no
 |
@@ Line 146: / Line 165: @@
 | see "build time"
 | these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic"
+| no
 | no
 | the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all
@@ Line 159: / Line 179: @@
 ! notes
 |}
+[[Category:Guide]]