Comparison of secret managing schemes: Difference between revisions
imported>Lucc |
m align wording |
||
(20 intermediate revisions by 10 users not shown) | |||
Line 4: | Line 4: | ||
range from user passwords and Wifi passwords over private keys (ssh, ssl, ...) | range from user passwords and Wifi passwords over private keys (ssh, ssl, ...) | ||
to API tokens and similar things. Normally one would store this kind of | to API tokens and similar things. Normally one would store this kind of | ||
information in files with restricted access | information in files with restricted access rights (only readable by some Unix | ||
user) or even encrypt them on disk. Nix and NixOS store a lot of information | user) or even encrypt them on disk. Nix and NixOS store a lot of information | ||
in the world-readable Nix store where at least the former is not possible. People who track | in the world-readable Nix store where at least the former is not possible. People who track | ||
Line 14: | Line 14: | ||
machines. This page tries to give an overview of different schemes that can | machines. This page tries to give an overview of different schemes that can | ||
be used and outlines the aims, requirements and implications of each. | be used and outlines the aims, requirements and implications of each. | ||
This page was created from a [https://discourse.nixos.org/t/comparison-of-different-key-secret-managing-schemes/12001/13 discussion on Discourse] and is likely never complete as people will start new projects to handle secrets in Nix(OS). | |||
== Definitions == | == Definitions == | ||
Line 40: | Line 42: | ||
== Comparison == | == Comparison == | ||
{| class="wikitable" | {| class="wikitable" | ||
Line 52: | Line 53: | ||
! encryption technology | ! encryption technology | ||
! "official" project | ! "official" project | ||
! templating support | |||
! notes | ! notes | ||
|- | |- | ||
| [https:// | | [https://nixops.readthedocs.io/en/latest/overview.html#managing-keys {{ic|deployment.keys.}} options of] [[NixOps]] | ||
| plain value in a nix expression | | plain value in a nix expression | ||
| | | | ||
Line 63: | Line 64: | ||
| | | | ||
| yes | | yes | ||
| no | |||
| "out of band", secret management happens outside of {{ic|nixos-rebuild}} | | "out of band", secret management happens outside of {{ic|nixos-rebuild}} | ||
|- | |- | ||
| [ | | [[agenix]] | ||
| encrypted raw files, {{ic|agenix}} CLI encrypts with the user and host ssh key | | encrypted raw files, {{ic|agenix}} CLI encrypts with the user and host ssh key | ||
| | | | ||
Line 73: | Line 75: | ||
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}} | | uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}} | ||
| yes | | yes | ||
| no | |||
| | | | ||
|- | |- | ||
| [https://github.com/Mic92/sops-nix sops-nix] | | [https://github.com/Mic92/sops-nix sops-nix] | ||
| encrypted with | | encrypted with age, pgp or ssh key, support yubikey when gnupg is used, can be stored in git | ||
| | | | ||
| encrypted | | encrypted | ||
| decryption | | decryption | ||
| stored in {{ic|/run/ | | stored in {{ic|/run/secrets/}} with configurable permissions | ||
| uses [https://github.com/mozilla/sops sops] | | uses [https://github.com/mozilla/sops sops] | ||
| yes | |||
| yes | | yes | ||
| can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus] | | can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus] | ||
Line 93: | Line 97: | ||
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | ||
| yes | | yes | ||
| no | |||
| | | | ||
|- | |- | ||
Line 103: | Line 108: | ||
| | | | ||
| yes | | yes | ||
| no | |||
| see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs] | | see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs] | ||
|- | |- | ||
| [https:// | | [https://github.com/platonic-systems/secrix secrix] | ||
| encrypted raw files, like {{ic|agenix}} | |||
| | |||
| encrypted | |||
| decryption with the host ssh key | |||
| unencrypted in configured path in {{ic|/run}} | |||
| uses [https://github.com/FiloSottile/age {{ic|age}}] by default with ssh user and host keys, does not support {{ic|ssh-agent}} | |||
| yes | |||
| no | |||
| Focuses on trying to keep secrets decrypted for a minimal amount of time | |||
|- | |||
! scheme | |||
! pre build | |||
! build time | |||
! {{ic|/nix/store}} (or on disk) | |||
! system activation | |||
! runtime | |||
! encryption technology | |||
! "official" project | |||
! templating support | |||
! notes | |||
|- | |||
| [https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1] | |||
| plain text file (unencrypted), can be stored in git | | plain text file (unencrypted), can be stored in git | ||
| encryption | | encryption | ||
Line 113: | Line 141: | ||
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine | | uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine | ||
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | | no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | ||
| no | |||
| Warning: plaintext is unencrypted in the nix store of the deployment machine | | Warning: plaintext is unencrypted in the nix store of the deployment machine | ||
|- | |- | ||
Line 122: | Line 151: | ||
| | | | ||
| | | | ||
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which | | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | ||
uses gpg | | no | ||
| no | | no | ||
| | | | ||
Line 129: | Line 158: | ||
| {{ic|builtins.readfile}} | | {{ic|builtins.readfile}} | ||
{{ic|builtins.exec}} | {{ic|builtins.exec}} | ||
discussion | discussion [https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] about build time secrets | ||
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] | | {{ic|builtins.readfile}} can read any file, {{ic|builtins.exec}} can execute commands and thus query any kind of database or password manager etc. | ||
about build time secrets | | these functions return values in a nix expression, it is up to the user what happens to these values in {{ic|configuration.nix}} | ||
| | | see "build time" | ||
| | | see "build time" | ||
| | | see "build time" | ||
| | | these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic" | ||
| | | no | ||
| | |||
| no | | no | ||
| the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all | | the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all | ||
|- | |||
! scheme | |||
! pre build | |||
! build time | |||
! {{ic|/nix/store}} (or on disk) | |||
! system activation | |||
! runtime | |||
! encryption technology | |||
! "official" project | |||
! templating support | |||
!'''notes''' | |||
|} | |} | ||
[[Category:Guide]] |
Latest revision as of 13:14, 11 August 2024
Introduction
Sometimes you need to use secrets in your system configuration. Those can range from user passwords and Wifi passwords over private keys (ssh, ssl, ...) to API tokens and similar things. Normally one would store this kind of information in files with restricted access rights (only readable by some Unix user) or even encrypt them on disk. Nix and NixOS store a lot of information in the world-readable Nix store where at least the former is not possible. People who track their configuration with Git (or use Flakes) might even want to store these secrets in the Git repository but still upload the repository somewhere.
In these cases it is necessary to think about a suitable scheme to manage the relevant secrets so that they are only readable by the right people or machines. This page tries to give an overview of different schemes that can be used and outlines the aims, requirements and implications of each.
This page was created from a discussion on Discourse and is likely never complete as people will start new projects to handle secrets in Nix(OS).
Definitions
The properties of the different schemes that are listed in the table below are explained in detail here. You are welcome to add more schemes (rows) to the table; please try to fill in as many of the properties as you can. If you add a new column please try to fill it for all existing rows as much as possible.
- scheme
- the name of the scheme, if possible a link to the official website or source, maybe a short description
- pre build
- Where does the secret reside before the configuration is build? In a file, in a nix expression, in an external database (password manager)? Is it encrypted?
- build time
- what happens at build time, is the secret decrypted or encrypted, which master passwords, passphrases or helper programs are needed
- in the store (on disk)
- Is the data stored in
/nix/store
after the build? Is it encrypted. This has implications for reproducability. If a secret is not stored in the nix store it might be more difficult to recreate an old system configuration - system activation
- what happens to the data at system activation, that is at boot time or when
nixos-rebuild switch
or--rollback
is executed - runtime
- where does the secret reside after system activation, is it encrypted, who can read it
- encryption technology
- which programs or tools are used for encryption or decryption of secrets; whether
ssh-agent
,gpg-agent
or similar are supported - "official" project
- whether this is a published software project (maybe even actively developed) or just some notes in a forum or a blog entry
Comparison
scheme | pre build | build time | /nix/store (or on disk)
|
system activation | runtime | encryption technology | "official" project | templating support | notes |
---|---|---|---|---|---|---|---|---|---|
deployment.keys. options of NixOps
|
plain value in a nix expression | not stored in the store | N/A the user has to run nixops send-keys to create these files after a (manual) reboot (not required after every reboot if destDir is persistent storage)
|
unencrypted in /run/keys/... or configured path
|
yes | no | "out of band", secret management happens outside of nixos-rebuild
| ||
agenix | encrypted raw files, agenix CLI encrypts with the user and host ssh key
|
encrypted | decryption with the host ssh key | unencrypted in /run/secrets/... or configured path
|
uses age with ssh user and host keys, does not support ssh-agent
|
yes | no | ||
sops-nix | encrypted with age, pgp or ssh key, support yubikey when gnupg is used, can be stored in git | encrypted | decryption | stored in /run/secrets/ with configurable permissions
|
uses sops | yes | yes | can be used with NixOps, nixos-rebuild , krops, morph, nixus
| |
krops | stored in the password store | uses the password store (aka pass ) which uses gpg
|
yes | no | |||||
terraform-nixos | value of a nix expression | stored in /var/keys/... owned by the keys unix group
|
yes | no | see [1] | ||||
secrix | encrypted raw files, like agenix
|
encrypted | decryption with the host ssh key | unencrypted in configured path in /run
|
uses age by default with ssh user and host keys, does not support ssh-agent
|
yes | no | Focuses on trying to keep secrets decrypted for a minimal amount of time | |
scheme | pre build | build time | /nix/store (or on disk)
|
system activation | runtime | encryption technology | "official" project | templating support | notes |
Blog entry 1 | plain text file (unencrypted), can be stored in git | encryption | encrypted in the store | decrypted by a systemd unit | uses age and the ssh host key of the target machine | no, blog, and config repository | no | Warning: plaintext is unencrypted in the nix store of the deployment machine | |
Blog entry 2
wrapper around |
stored in the password store | data is retrieved/decrypted with pass during evaluation time
|
unencrypted in the store | uses the password store (aka pass ) which uses gpg
|
no | no | |||
builtins.readfile
|
builtins.readfile can read any file, builtins.exec can execute commands and thus query any kind of database or password manager etc.
|
these functions return values in a nix expression, it is up to the user what happens to these values in configuration.nix
|
see "build time" | see "build time" | see "build time" | these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic" | no | no | the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all |
scheme | pre build | build time | /nix/store (or on disk)
|
system activation | runtime | encryption technology | "official" project | templating support | notes |