194
edits
imported>Fricklerhandwerk m (add go guide category) |
(drop obsolete link) |
||
(6 intermediate revisions by 4 users not shown) | |||
Line 42: | Line 42: | ||
== Comparison == | == Comparison == | ||
{| class="wikitable" | {| class="wikitable" | ||
Line 54: | Line 53: | ||
! encryption technology | ! encryption technology | ||
! "official" project | ! "official" project | ||
! templating support | |||
! notes | ! notes | ||
|- | |- | ||
Line 64: | Line 64: | ||
| | | | ||
| yes | | yes | ||
| no | |||
| "out of band", secret management happens outside of {{ic|nixos-rebuild}} | | "out of band", secret management happens outside of {{ic|nixos-rebuild}} | ||
|- | |- | ||
| [ | | [[agenix]] | ||
| encrypted raw files, {{ic|agenix}} CLI encrypts with the user and host ssh key | | encrypted raw files, {{ic|agenix}} CLI encrypts with the user and host ssh key | ||
| | | | ||
Line 74: | Line 75: | ||
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}} | | uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}} | ||
| yes | | yes | ||
| no | |||
| | | | ||
|- | |- | ||
Line 83: | Line 85: | ||
| stored in {{ic|/run/secrets/}} with configurable permissions | | stored in {{ic|/run/secrets/}} with configurable permissions | ||
| uses [https://github.com/mozilla/sops sops] | | uses [https://github.com/mozilla/sops sops] | ||
| yes | |||
| yes | | yes | ||
| can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus] | | can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus] | ||
Line 94: | Line 97: | ||
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | ||
| yes | | yes | ||
| no | |||
| | | | ||
|- | |- | ||
Line 104: | Line 108: | ||
| | | | ||
| yes | | yes | ||
| no | |||
| see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs] | | see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs] | ||
|- | |||
| [https://github.com/platonic-systems/secrix secrix] | |||
| encrypted raw files, like {{ic|agenix}} | |||
| | |||
| encrypted | |||
| decryption with the host ssh key | |||
| unencrypted in configured path in {{ic|/run}} | |||
| uses [https://github.com/FiloSottile/age {{ic|age}}] by default with ssh user and host keys, does not support {{ic|ssh-agent}} | |||
| yes | |||
| no | |||
| Focuses on trying to keep secrets decrypted for a minimal amount of time | |||
|- | |- | ||
! scheme | ! scheme | ||
Line 114: | Line 130: | ||
! encryption technology | ! encryption technology | ||
! "official" project | ! "official" project | ||
! templates | |||
! notes | ! notes | ||
|- | |- | ||
| [https:// | | [https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1] | ||
| plain text file (unencrypted), can be stored in git | | plain text file (unencrypted), can be stored in git | ||
| encryption | | encryption | ||
Line 124: | Line 141: | ||
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine | | uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine | ||
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | | no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | ||
| no | |||
| Warning: plaintext is unencrypted in the nix store of the deployment machine | | Warning: plaintext is unencrypted in the nix store of the deployment machine | ||
|- | |- | ||
Line 134: | Line 152: | ||
| | | | ||
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | ||
| no | |||
| no | | no | ||
| | | | ||
Line 146: | Line 165: | ||
| see "build time" | | see "build time" | ||
| these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic" | | these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic" | ||
| no | |||
| no | | no | ||
| the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all | | the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all |