Jump to content

Comparison of secret managing schemes: Difference between revisions

Comparison of secret managing schemes (view source)

Revision as of 14:07, 1 April 2024

2,846 bytes added ,  1 April
drop obsolete link
VisualWikitext
imported>Ryantm
No edit summary
(drop obsolete link)
 
(39 intermediate revisions by 9 users not shown)
Line 1: Line 1:
In case this page is dificult to read with the default theme try [https://nixos.wiki/index.php?title=Comparison_of_secret_managing_schemes&useskin=vector the vector theme].
== Introduction ==
== Introduction ==


Line 6: Line 4:
range from user passwords and Wifi passwords over private keys (ssh, ssl, ...)
range from user passwords and Wifi passwords over private keys (ssh, ssl, ...)
to API tokens and similar things. Normally one would store this kind of
to API tokens and similar things. Normally one would store this kind of
information in files with restricted access writes (only readable by some Unix
information in files with restricted access rights (only readable by some Unix
user) or even encrypt them on disk. Nix and NixOS store a lot of information
user) or even encrypt them on disk. Nix and NixOS store a lot of information
in the world-readable Nix store where at least the former is not possible. People who track
in the world-readable Nix store where at least the former is not possible. People who track
Line 16: Line 14:
machines. This page tries to give an overview of different schemes that can
machines. This page tries to give an overview of different schemes that can
be used and outlines the aims, requirements and implications of each.
be used and outlines the aims, requirements and implications of each.
This page was created from a [https://discourse.nixos.org/t/comparison-of-different-key-secret-managing-schemes/12001/13 discussion on Discourse] and is likely never complete as people will start new projects to handle secrets in Nix(OS).


== Definitions ==
== Definitions ==
Line 21: Line 21:
The properties of the different schemes that are listed in the table below are
The properties of the different schemes that are listed in the table below are
explained in detail here.  You are welcome to add more schemes (rows) to the
explained in detail here.  You are welcome to add more schemes (rows) to the
table; please try to fill in as many of the properties as you can.
table; please try to fill in as many of the properties as you can. If you add a new column please try to fill it for all existing rows as much as possible.


; scheme
; scheme
Line 35: Line 35:
; runtime
; runtime
: where does the secret reside after system activation, is it encrypted, who can read it
: where does the secret reside after system activation, is it encrypted, who can read it
; encryption technology
: which programs or tools are used for encryption or decryption of secrets; whether {{ic|ssh-agent}}, {{ic|gpg-agent}} or similar are supported
; "official" project
; "official" project
: whether this is a published software project (maybe even actively developed) or just some notes in a forum or a blog entry
: whether this is a published software project (maybe even actively developed) or just some notes in a forum or a blog entry


== Comparison ==
== Comparison ==


{| class="wikitable"
{| class="wikitable"
Line 48: Line 51:
! system activation
! system activation
! runtime
! runtime
! encryption technology
! "official" project
! "official" project
! templating support
! notes
! notes
|-
|-
| [https://hydra.nixos.org/build/115931128/download/1/manual/manual.html#idm140737322649152 NixOps keys]
| [https://nixops.readthedocs.io/en/latest/overview.html#managing-keys {{ic|deployment.keys.}} options of] [[NixOps]]
(is there a better link to the docs that does not depend on a hydra build id?)
| plain value in a nix expression
| plain text in a nix expression
|
| not stored in the store
| ''N/A'' the user has to run {{ic|nixops send-keys}} to create these files after a (manual) reboot (not required after every reboot if destDir is persistent storage)
| unencrypted in {{ic|/run/keys/...}} or configured path
|
|
| no, stored outside of the store (TODO more info)
| ''N/A'' the user has to run {{ic|nixops
send-keys}} to create these files after a reboot (not required after every reboot if `destDir` is persistent storage)
| unencrypted in {{ic|/run/keys/...}}
| yes
| yes
| no
| "out of band", secret management happens outside of {{ic|nixos-rebuild}}
| "out of band", secret management happens outside of {{ic|nixos-rebuild}}
|-
|-
| [https://github.com/ryantm/agenix agenix]
| [[agenix]]
| `agenix` CLI encrypts with the user and host ssh key
| encrypted raw files, {{ic|agenix}} CLI encrypts with the user and host ssh key
|  
|
| encrypted
| encrypted
| decryption with the host ssh key
| decryption with the host ssh key
| unencrypted in {{ic|/run/secrets/...}} or configured path
| unencrypted in {{ic|/run/secrets/...}} or configured path
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}}
| yes
| yes
| the underlying {{ic|age}} does not support {{ic|ssh-agent}}
| no
|
|-
|-
| [https://github.com/Mic92/sops-nix sops-nix]
| [https://github.com/Mic92/sops-nix sops-nix]
| encrypted with age, pgp or ssh key, support yubikey when gnupg is used, can be stored in git
|
|
|
| encrypted
|
| decryption
|
| stored in {{ic|/run/secrets/}} with configurable permissions
|
| uses [https://github.com/mozilla/sops sops]
| yes
| yes
| yes
|
| can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus]
|-
|-
| [https://github.com/krebs/krops krops]
| [https://github.com/krebs/krops krops]
| stored in [https://www.passwordstore.org/ the password store]
|
|
|
|
|
|
|
|
|
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
| yes
| yes
| no
|
|
|-
|-
| {{ic|buildins.readfile}}
| [https://github.com/tweag/terraform-nixos terraform-nixos]
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
| value of a nix expression
|
|
|
| stored in {{ic|/var/keys/...}} owned by the {{ic|keys}} unix group
|
|
|
|
|
|
| yes
| no
| no
|
| see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs]
|-
|-
| {{ic|buildins.exec}}
| [https://github.com/platonic-systems/secrix secrix]
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
| encrypted raw files, like {{ic|agenix}}
|
|
|
|
|
|
| encrypted
| decryption with the host ssh key
| unencrypted in configured path in {{ic|/run}}
| uses [https://github.com/FiloSottile/age {{ic|age}}] by default with ssh user and host keys, does not support {{ic|ssh-agent}}
| yes
| no
| no
|
| Focuses on trying to keep secrets decrypted for a minimal amount of time
|-
! scheme
! pre build
! build time
! {{ic|/nix/store}} (or on disk)
! system activation
! runtime
! encryption technology
! "official" project
! templates
! notes
|-
|-
| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
| [https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
based on [https://github.com/FiloSottile/age age] and the ssh host key of the
target machine
| plain text file (unencrypted), can be stored in git
| plain text file (unencrypted), can be stored in git
| encryption
| encryption
| encrypted, in the store
| encrypted in the store
| decrypted by a systemd unit
| decrypted by a systemd unit
|
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog],
and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
|
|
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
| no
| Warning: plaintext is unencrypted in the nix store of the deployment machine
|-
|-
| [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog entry 2]
| [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog entry 2]
wrapper around {{ic|pass}} based on [https://github.com/shlevy/nix-plugins nix-plugins]
| stored in [https://www.passwordstore.org/ the password store]
| data is retrieved/decrypted with {{ic|pass}} during evaluation time
| unencrypted in the store
|
|
|
|
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
| no
| no
|
|
|
|-
|
| {{ic|builtins.readfile}}
{{ic|builtins.exec}}
discussion [https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] about build time secrets
| {{ic|builtins.readfile}} can read any file, {{ic|builtins.exec}} can execute commands and thus query any kind of database or password manager etc.
| these functions return values in a nix expression, it is up to the user what happens to these values in {{ic|configuration.nix}}
| see "build time"
| see "build time"
| see "build time"
| these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic"
| no
| no
| no
|
| the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all
|-
! scheme
! pre build
! build time
! {{ic|/nix/store}} (or on disk)
! system activation
! runtime
! encryption technology
! "official" project
! notes
|}
|}
[[Category:Guide]]
Retrieved from "https://wiki.nixos.org/wiki/Special:MobileDiff/8593...11198"