Comparison of secret managing schemes: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Lucc
imported>Lucc
Line 104: Line 104:
| yes
| yes
| see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs]
| see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs]
|-
! scheme
! pre build
! build time
! {{ic|/nix/store}} (or on disk)
! system activation
! runtime
! encryption technology
! "official" project
! notes
|-
|-
| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
Line 133: Line 143:
about build time secrets
about build time secrets
| {{ic|builtins.readfile}} can read any file, {{ic|builtins.exec}} can execute commands and thus query any kind of database or passwordmanager etc
| {{ic|builtins.readfile}} can read any file, {{ic|builtins.exec}} can execute commands and thus query any kind of database or passwordmanager etc
| these functions return values in a nix expression, it is up to the user what happens to these values in `configuration.nix`
| these functions return values in a nix expression, it is up to the user what happens to these values in {{ic|configuration.nix}}
| see "build time"
| see "build time"
| see "build time"
| see "build time"
|
| see "build time"
|
| these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic"
| no
| no
| the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all
| the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all
|-
! scheme
! pre build
! build time
! {{ic|/nix/store}} (or on disk)
! system activation
! runtime
! encryption technology
! "official" project
! notes
|}
|}
Retrieved from "https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes"