Comparison of secret managing schemes: Difference between revisions
imported>Lucc |
imported>Lucc |
||
Line 96: | Line 96: | ||
uses gpg | uses gpg | ||
| yes | | yes | ||
| | | | ||
|- | |- | ||
Line 137: | Line 115: | ||
| data is retrieved/decrypted with {{ic|pass}} during evaluation time | | data is retrieved/decrypted with {{ic|pass}} during evaluation time | ||
| unencrypted in the store | | unencrypted in the store | ||
| | | | ||
| | | | ||
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which | | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which | ||
Line 143: | Line 121: | ||
| no | | no | ||
| | | | ||
|- | |||
| {{ic|builtins.readfile}} | |||
{{ic|builtins.exec}} | |||
discussion | |||
[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] | |||
about build time secrets | |||
| | |||
| | |||
| | |||
| | |||
| | |||
| | |||
| no | |||
| the linked discussion is about a signing key that is only needed during | |||
build time and should not be stored in the nix store at all | |||
|} | |} |