Comparison of secret managing schemes: Difference between revisions
imported>Lucc |
imported>Lucc |
||
Line 59: | Line 59: | ||
| | | | ||
| not stored in the store | | not stored in the store | ||
| ''N/A'' the user has to run {{ic|nixops | | ''N/A'' the user has to run {{ic|nixops send-keys}} to create these files after a (manual) reboot (not required after every reboot if destDir is persistent storage) | ||
send-keys}} to create these files after a (manual) reboot (not required after every reboot if destDir is persistent storage) | |||
| unencrypted in {{ic|/run/keys/...}} or configured path | | unencrypted in {{ic|/run/keys/...}} or configured path | ||
| | | | ||
Line 72: | Line 71: | ||
| decryption with the host ssh key | | decryption with the host ssh key | ||
| unencrypted in {{ic|/run/secrets/...}} or configured path | | unencrypted in {{ic|/run/secrets/...}} or configured path | ||
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host | | uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}} | ||
keys, does not support {{ic|ssh-agent}} | |||
| yes | | yes | ||
| | | | ||
Line 93: | Line 91: | ||
| | | | ||
| | | | ||
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which | | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | ||
uses gpg | |||
| yes | | yes | ||
| | | | ||
Line 114: | Line 111: | ||
| decrypted by a systemd unit | | decrypted by a systemd unit | ||
| | | | ||
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the | | uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine | ||
target machine | | no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | ||
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], | |||
and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | |||
| Warning: plaintext is unencrypted in the nix store of the deployment machine | | Warning: plaintext is unencrypted in the nix store of the deployment machine | ||
|- | |- | ||
Line 144: | Line 139: | ||
| | | | ||
| no | | no | ||
| the linked discussion is about a signing key that is only needed during | | the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all | ||
build time and should not be stored in the nix store at all | |||
|} | |} |