Comparison of secret managing schemes: Difference between revisions
imported>Onny Redirect agenix link to wiki page |
imported>Mic92 Add templates column |
||
Line 54: | Line 54: | ||
! encryption technology | ! encryption technology | ||
! "official" project | ! "official" project | ||
! templating support | |||
! notes | ! notes | ||
|- | |- | ||
Line 64: | Line 65: | ||
| | | | ||
| yes | | yes | ||
| no | |||
| "out of band", secret management happens outside of {{ic|nixos-rebuild}} | | "out of band", secret management happens outside of {{ic|nixos-rebuild}} | ||
|- | |- | ||
Line 74: | Line 76: | ||
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}} | | uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}} | ||
| yes | | yes | ||
| no | |||
| | | | ||
|- | |- | ||
Line 83: | Line 86: | ||
| stored in {{ic|/run/secrets/}} with configurable permissions | | stored in {{ic|/run/secrets/}} with configurable permissions | ||
| uses [https://github.com/mozilla/sops sops] | | uses [https://github.com/mozilla/sops sops] | ||
| yes | |||
| yes | | yes | ||
| can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus] | | can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus] | ||
Line 94: | Line 98: | ||
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | ||
| yes | | yes | ||
| no | |||
| | | | ||
|- | |- | ||
Line 104: | Line 109: | ||
| | | | ||
| yes | | yes | ||
| no | |||
| see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs] | | see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs] | ||
|- | |- | ||
Line 114: | Line 120: | ||
! encryption technology | ! encryption technology | ||
! "official" project | ! "official" project | ||
! templates | |||
! notes | ! notes | ||
|- | |- | ||
Line 124: | Line 131: | ||
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine | | uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine | ||
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | | no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository] | ||
| no | |||
| Warning: plaintext is unencrypted in the nix store of the deployment machine | | Warning: plaintext is unencrypted in the nix store of the deployment machine | ||
|- | |- | ||
Line 134: | Line 142: | ||
| | | | ||
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | | uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg | ||
| no | |||
| no | | no | ||
| | | | ||
Line 146: | Line 155: | ||
| see "build time" | | see "build time" | ||
| these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic" | | these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic" | ||
| no | |||
| no | | no | ||
| the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all | | the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all |