Comparison of secret managing schemes: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Onny
Redirect agenix link to wiki page
imported>Mic92
Add templates column
Line 54: Line 54:
! encryption technology
! encryption technology
! "official" project
! "official" project
! templating support
! notes
! notes
|-
|-
Line 64: Line 65:
|
|
| yes
| yes
| no
| "out of band", secret management happens outside of {{ic|nixos-rebuild}}
| "out of band", secret management happens outside of {{ic|nixos-rebuild}}
|-
|-
Line 74: Line 76:
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}}
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}}
| yes
| yes
| no
|
|
|-
|-
Line 83: Line 86:
| stored in {{ic|/run/secrets/}} with configurable permissions
| stored in {{ic|/run/secrets/}} with configurable permissions
| uses [https://github.com/mozilla/sops sops]
| uses [https://github.com/mozilla/sops sops]
| yes
| yes
| yes
| can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus]
| can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus]
Line 94: Line 98:
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
| yes
| yes
| no
|
|
|-
|-
Line 104: Line 109:
|
|
| yes
| yes
| no
| see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs]
| see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs]
|-
|-
Line 114: Line 120:
! encryption technology
! encryption technology
! "official" project
! "official" project
! templates
! notes
! notes
|-
|-
Line 124: Line 131:
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
| no
| Warning: plaintext is unencrypted in the nix store of the deployment machine
| Warning: plaintext is unencrypted in the nix store of the deployment machine
|-
|-
Line 134: Line 142:
|
|
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
| no
| no
| no
|
|
Line 146: Line 155:
| see "build time"
| see "build time"
| these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic"
| these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic"
| no
| no
| no
| the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all
| the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all
Retrieved from "https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes"