Comparison of secret managing schemes: Difference between revisions

← Older edit

Comparison of secret managing schemes (view source)

Revision as of 14:07, 1 April 2024

1,564 bytes added , 1 April

drop obsolete link

VisualWikitext

Mic92

Bureaucrats, Interface administrators, Administrators

193

edits

@@ Line 4: / Line 4: @@
 range from user passwords and Wifi passwords over private keys (ssh, ssl, ...)
 to API tokens and similar things. Normally one would store this kind of
-information in files with restricted access writes (only readable by some Unix
+information in files with restricted access rights (only readable by some Unix
 user) or even encrypt them on disk. Nix and NixOS store a lot of information
 in the world-readable Nix store where at least the former is not possible. People who track
@@ Line 14: / Line 14: @@
 machines. This page tries to give an overview of different schemes that can
 be used and outlines the aims, requirements and implications of each.
+This page was created from a [https://discourse.nixos.org/t/comparison-of-different-key-secret-managing-schemes/12001/13 discussion on Discourse] and is likely never complete as people will start new projects to handle secrets in Nix(OS).
 == Definitions ==
@@ Line 40: / Line 42: @@
 == Comparison ==
-In case this table is difficult to read with the default theme, try [https://nixos.wiki/index.php?title=Comparison_of_secret_managing_schemes&useskin=vector#Comparison the vector theme].
 {| class="wikitable"
@@ Line 52: / Line 53: @@
 ! encryption technology
 ! "official" project
+! templating support
 ! notes
 |-
-| [https://hydra.nixos.org/build/115931128/download/1/manual/manual.html#idm140737322649152 NixOps keys]
+| [https://nixops.readthedocs.io/en/latest/overview.html#managing-keys {{ic|deployment.keys.}} options of] [[NixOps]]
-(is there a better link to the docs that does not depend on a hydra build id?)
 | plain value in a nix expression
 |
 | not stored in the store
-| ''N/A'' the user has to run {{ic|nixops
+| ''N/A'' the user has to run {{ic|nixops send-keys}} to create these files after a (manual) reboot (not required after every reboot if destDir is persistent storage)
-send-keys}} to create these files after a (manual) reboot (not required after every reboot if destDir is persistent storage)
 | unencrypted in {{ic|/run/keys/...}} or configured path
 |
 | yes
+| no
 | "out of band", secret management happens outside of {{ic|nixos-rebuild}}
 |-
-| [https://github.com/ryantm/agenix agenix]
+| [[agenix]]
 | encrypted raw files, {{ic|agenix}} CLI encrypts with the user and host ssh key
 |
@@ Line 72: / Line 73: @@
 | decryption with the host ssh key
 | unencrypted in {{ic|/run/secrets/...}} or configured path
-| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host
+| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}}
-keys, does not support {{ic|ssh-agent}}
 | yes
+| no
 |
 |-
 | [https://github.com/Mic92/sops-nix sops-nix]
-| encrypted with gpg or ssh key
+| encrypted with age, pgp or ssh key, support yubikey when gnupg is used, can be stored in git
 |
 | encrypted
 | decryption
-| stored in {{ic|/run/secrests/}} with configurable permissions
+| stored in {{ic|/run/secrets/}} with configurable permissions
 | uses [https://github.com/mozilla/sops sops]
+| yes
 | yes
 | can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus]
@@ Line 93: / Line 95: @@
 |
 |
-| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which
+| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
-uses gpg
 | yes
+| no
 |
 |-
-| {{ic|builtins.readfile}}
+| [https://github.com/tweag/terraform-nixos terraform-nixos]
-[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
+| value of a nix expression
-|
-|
 |
+| stored in {{ic|/var/keys/...}} owned by the {{ic|keys}} unix group
 |
 |
 |
+| yes
 | no
-|
+| see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs]
 |-
-| {{ic|builtins.exec}}
+| [https://github.com/platonic-systems/secrix secrix]
-[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
+| encrypted raw files, like {{ic|agenix}}
-|
-|
-|
-|
-|
 |
+| encrypted
+| decryption with the host ssh key
+| unencrypted in configured path in {{ic|/run}}
+| uses [https://github.com/FiloSottile/age {{ic|age}}] by default with ssh user and host keys, does not support {{ic|ssh-agent}}
+| yes
 | no
-|
+| Focuses on trying to keep secrets decrypted for a minimal amount of time
+|-
+! scheme
+! pre build
+! build time
+! {{ic|/nix/store}} (or on disk)
+! system activation
+! runtime
+! encryption technology
+! "official" project
+! templates
+! notes
 |-
-| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
+| [https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
 | plain text file (unencrypted), can be stored in git
 | encryption
@@ Line 126: / Line 139: @@
 | decrypted by a systemd unit
 |
-| uses [https://github.com/FiloSottile/age age] and the ssh host key of the
+| uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine
-target machine
+| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
-| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog],
+| no
-and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
 | Warning: plaintext is unencrypted in the nix store of the deployment machine
 |-
@@ Line 137: / Line 149: @@
 | data is retrieved/decrypted with {{ic|pass}} during evaluation time
 | unencrypted in the store
-|
 |
-| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which
+|
-uses gpg
+| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
+| no
 | no
 |
+|-
+| {{ic|builtins.readfile}}
+{{ic|builtins.exec}}
+discussion [https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] about build time secrets
+| {{ic|builtins.readfile}} can read any file, {{ic|builtins.exec}} can execute commands and thus query any kind of database or password manager etc.
+| these functions return values in a nix expression, it is up to the user what happens to these values in {{ic|configuration.nix}}
+| see "build time"
+| see "build time"
+| see "build time"
+| these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic"
+| no
+| no
+| the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all
+|-
+! scheme
+! pre build
+! build time
+! {{ic|/nix/store}} (or on disk)
+! system activation
+! runtime
+! encryption technology
+! "official" project
+! notes
 |}
+[[Category:Guide]]