Comparison of secret managing schemes: Difference between revisions
imported>Lucc |
imported>Lucc |
||
Line 48: | Line 48: | ||
! system activation | ! system activation | ||
! runtime | ! runtime | ||
! encryption technology | |||
! "official" project | ! "official" project | ||
! notes | ! notes | ||
Line 57: | Line 58: | ||
| no, stored outside of the store (TODO more info) | | no, stored outside of the store (TODO more info) | ||
| ''N/A'' the user has to run {{ic|nixops | | ''N/A'' the user has to run {{ic|nixops | ||
send-keys}} to create these files after a reboot (not required after every reboot if destDir is persistent storage) | send-keys}} to create these files after a reboot (not required after every reboot if destDir is persistent storage) | ||
| unencrypted in {{ic|/run/keys/...}} or configured path | | unencrypted in {{ic|/run/keys/...}} or configured path | ||
| | |||
| yes | | yes | ||
| "out of band", secret management happens outside of {{ic|nixos-rebuild}} | | "out of band", secret management happens outside of {{ic|nixos-rebuild}} | ||
Line 64: | Line 66: | ||
| [https://github.com/ryantm/agenix agenix] | | [https://github.com/ryantm/agenix agenix] | ||
| {{ic|agenix}} CLI encrypts with the user and host ssh key | | {{ic|agenix}} CLI encrypts with the user and host ssh key | ||
| | | | ||
| encrypted | | encrypted | ||
| decryption with the host ssh key | | decryption with the host ssh key | ||
| unencrypted in {{ic|/run/secrets/...}} or configured path | | unencrypted in {{ic|/run/secrets/...}} or configured path | ||
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host | |||
keys, does not support {{ic|ssh-agent}} | |||
| yes | | yes | ||
| | | | ||
|- | |- | ||
| [https://github.com/Mic92/sops-nix sops-nix] | | [https://github.com/Mic92/sops-nix sops-nix] | ||
| encrypted with gpg or ssh key | | encrypted with gpg or ssh key | ||
| | | | ||
| encrypted | | encrypted | ||
| decryption | | decryption | ||
| stored in {{ic|/run/secrests/}} with configurable permissions | | stored in {{ic|/run/secrests/}} with configurable permissions | ||
| uses [https://github.com/mozilla/sops sops] | |||
| yes | | yes | ||
| can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus] | | can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus] | ||
|- | |- | ||
| [https://github.com/krebs/krops krops] | | [https://github.com/krebs/krops krops] | ||
| stored in [https://www.passwordstore.org/ the password store] | | stored in [https://www.passwordstore.org/ the password store] | ||
| | | | ||
| | | | ||
| | | | ||
| | | | ||
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which | |||
uses gpg | |||
| yes | | yes | ||
| | | | ||
Line 91: | Line 98: | ||
| {{ic|builtins.readfile}} | | {{ic|builtins.readfile}} | ||
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] | [https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] | ||
| | |||
| | | | ||
| | | | ||
Line 101: | Line 109: | ||
| {{ic|builtins.exec}} | | {{ic|builtins.exec}} | ||
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] | [https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] | ||
| | |||
| | | | ||
| | | | ||
Line 110: | Line 119: | ||
|- | |- | ||
| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1] | | [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1] | ||
| plain text file (unencrypted), can be stored in git | | plain text file (unencrypted), can be stored in git | ||
| encryption | | encryption | ||
| encrypted in the store | | encrypted in the store | ||
| decrypted by a systemd unit | | decrypted by a systemd unit | ||
| | | | ||
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the | |||
target machine | |||
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], | | no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], | ||
and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | ||
Line 122: | Line 131: | ||
|- | |- | ||
| [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog entry 2] | | [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog entry 2] | ||
| | |||
| | | | ||
| | | |