Official NixOS Wiki

Comparison of secret managing schemes: Difference between revisions

← Older edit
Woile (talk | contribs)
26 edits
VisualWikitext
Malix (talk | contribs)
135 edits
m Comparison: fix table
Woile (talk | contribs)
26 edits
m keep consistency, remove code blocks for projects
 
(2 intermediate revisions by 2 users not shown)
Line 4: Line 4:


While this paradigm is still available to NixOS users, a Nix-managed system is in an unique position to leverage <b>secret managing schemes</b>: special software capable of deploying secret information securely. Instead of writing the secret information unencrypted to a NixOS configuration, the software described below can decrypt the relevant secrets and deploy them at various stages of the NixOS system deployment process. This advanced form of secrets configuration is even more important for NixOS configurations tracked with Git or [[Flakes]], as one will be able to store these encrypted secrets in the Git repository and still be able to upload the repository on the public Internet.
While this paradigm is still available to NixOS users, a Nix-managed system is in an unique position to leverage <b>secret managing schemes</b>: special software capable of deploying secret information securely. Instead of writing the secret information unencrypted to a NixOS configuration, the software described below can decrypt the relevant secrets and deploy them at various stages of the NixOS system deployment process. This advanced form of secrets configuration is even more important for NixOS configurations tracked with Git or [[Flakes]], as one will be able to store these encrypted secrets in the Git repository and still be able to upload the repository on the public Internet.
The most popular options for secrets management are [[Agenix]], [https://github.com/Mic92/sops-nix sops-nix] or the secrets management solution native to the deployment tool you chose. Below follows a more in-depth comparison including less well-known solutions.


== Definitions ==
== Definitions ==
Line 65: Line 67:
|
|
|-
|-
| <code>[https://github.com/oddlama/agenix-rekey agenix-rekey]</code>
| [https://github.com/oddlama/agenix-rekey agenix-rekey]
| Extended <code>agenix</code>.
| Extended <code>agenix</code>.
| N/A
| N/A
Line 151: Line 153:
|
|
|-
|-
| [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog Entry]: wrapper around <code>pass</code> based on <code>[https://github.com/shlevy/nix-plugins nix-plugins]</code>.
| [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog Entry]: wrapper around <code>pass</code> based on [https://github.com/shlevy/nix-plugins nix-plugins].
| Stored in [https://www.passwordstore.org/ the password store].
| Stored in [https://www.passwordstore.org/ the password store].
| Data is retrieved/decrypted with <code>pass</code> during evaluation time.
| Data is retrieved/decrypted with <code>pass</code> during evaluation time.
Line 173: Line 175:
| The referenced NixOS Discourse discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all.
| The referenced NixOS Discourse discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all.
|-
|-
| [https://mrvandalo.github.io/nixos-artifacts/nixos-artifacts/latest/ nixos-artifacts]
| depends on backend
| artifacts cli is needed most of the time, but built-time depends on chosen backends
| depends on backend
| depends on backend
| depends on backend
| depends on backend
| Yes
| No (but planed)
| Backend agnostic secret manager. Unified secret definition and backend configuration managed differently from another.
|-
! Scheme
! Scheme
! Pre-build
! Pre-build
Retrieved from "https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes"