Comparison of secret managing schemes: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Lucc
imported>Lucc
Line 48: Line 48:
! system activation
! system activation
! runtime
! runtime
! encryption technology
! "official" project
! "official" project
! notes
! notes
Line 57: Line 58:
| no, stored outside of the store (TODO more info)
| no, stored outside of the store (TODO more info)
| ''N/A'' the user has to run {{ic|nixops
| ''N/A'' the user has to run {{ic|nixops
send-keys}} to create these files after a reboot (not required after every reboot if destDir is persistent storage)  
send-keys}} to create these files after a reboot (not required after every reboot if destDir is persistent storage)
| unencrypted in {{ic|/run/keys/...}} or configured path
| unencrypted in {{ic|/run/keys/...}} or configured path
|
| yes
| yes
| "out of band", secret management happens outside of {{ic|nixos-rebuild}}
| "out of band", secret management happens outside of {{ic|nixos-rebuild}}
Line 64: Line 66:
| [https://github.com/ryantm/agenix agenix]
| [https://github.com/ryantm/agenix agenix]
| {{ic|agenix}} CLI encrypts with the user and host ssh key
| {{ic|agenix}} CLI encrypts with the user and host ssh key
|  
|
| encrypted
| encrypted
| decryption with the host ssh key
| decryption with the host ssh key
| unencrypted in {{ic|/run/secrets/...}} or configured path
| unencrypted in {{ic|/run/secrets/...}} or configured path
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host
keys, does not support {{ic|ssh-agent}}
| yes
| yes
| the underlying {{ic|age}} does not support {{ic|ssh-agent}}
|
|-
|-
| [https://github.com/Mic92/sops-nix sops-nix]
| [https://github.com/Mic92/sops-nix sops-nix]
| encrypted with gpg or ssh key
| encrypted with gpg or ssh key
|  
|
| encrypted
| encrypted
| decryption
| decryption
| stored in {{ic|/run/secrests/}} with configurable permissions
| stored in {{ic|/run/secrests/}} with configurable permissions
| uses [https://github.com/mozilla/sops sops]
| yes
| yes
| can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus]
| can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus]
|-
|-
| [https://github.com/krebs/krops krops]
| [https://github.com/krebs/krops krops]
| stored in [https://www.passwordstore.org/ the password store] (aka {{ic|pass}})
| stored in [https://www.passwordstore.org/ the password store]
|
|
|
|
|
|
|
|
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which
uses gpg
| yes
| yes
|
|
Line 91: Line 98:
| {{ic|builtins.readfile}}
| {{ic|builtins.readfile}}
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
|
|
|
|
|
Line 101: Line 109:
| {{ic|builtins.exec}}
| {{ic|builtins.exec}}
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
|
|
|
|
|
Line 110: Line 119:
|-
|-
| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
based on [https://github.com/FiloSottile/age age] and the ssh host key of the
target machine
| plain text file (unencrypted), can be stored in git
| plain text file (unencrypted), can be stored in git
| encryption
| encryption
| encrypted in the store
| encrypted in the store
| decrypted by a systemd unit
| decrypted by a systemd unit
|  
|
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the
target machine
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog],
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog],
and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
Line 122: Line 131:
|-
|-
| [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog entry 2]
| [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog entry 2]
|
|
|
|
|
Retrieved from "https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes"