Comparison of secret managing schemes: Difference between revisions

From NixOS Wiki
imported>Lucc
start page
 
imported>Lucc
add more solutions
Line 28: Line 28:
| yes
| yes
|
|
|-
| [https://github.com/ryantm/agenix agenix]
|-
| [https://github.com/Mic92/sops-nix sops-nix]
|-
| [https://github.com/krebs/krops krops]
|-
| {{ic|buildins.readfile}}
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
|-
| {{ic|buildins.exec}}
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse]
|-
| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
|-
| [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
|}
|}

Revision as of 19:38, 25 March 2021

Introduction

Sometimes you need to use secrets in you system configuration. Those can range from user passwords and Wifi passwords over private keys (ssh, ssl, ...) to API tokens and similar things. Normally one would store this kind of information in files with restricted access writes (only readable by some Unix user) or even encrypt them on disk. Nix and NixOS store a lot of information in the Nix store where at least the former is not possible. People who track their configuration with Git (or even use Flakes) might even want to store these secrets in the Git repository but still upload the repository somewhere.

In these cases it is necessary to think about a suitable scheme to manage the relevant secrets so that they are only readable by the right people or machines. This page tries to give an overview of different schemes that can be used and outlines the aims, requirements and implications of each.

Definitions

The properties of the different schemes that are listed in the table below are explained in detail here. You are welcome to add more schemes (rows) to the table; please try to fill in as many of the properties as you can.

TODO (when the table takes shape)

Comparison

Comparison of secret managing schemes
scheme stored in git encrypted (until) in the store "official" project notes
NixOps keys

(is there a better link to the docs that does not depend on a hydra build id?)

yes (in a nix expression) no no yes
agenix
sops-nix
krops
buildins.readfile

on discourse

buildins.exec

on discourse

Blog entry 1
Blog entry 1