NixOS Wiki

Comparison of secret managing schemes: Difference between revisions

← Older edit
VisualWikitext
Timka (talk | contribs)
3 edits
m grammar
Rewrite to follow the Manual of Style and a general cleanup of outdated information. TODO: the rest of the table needs a cleanup.
 
Line 1: Line 1:
== Introduction ==
== Introduction ==


Sometimes you need to use secrets in your system configuration. Those can
Some NixOS modules require the use of secret information to function correctly. This information can include user<ref>The <code>[http://search.nixos.org/options?show=users.users.%253Cname%253E.hashedPasswordFile <nowiki>users.users.<name>.hashedPasswordFile</nowiki>]</code> option.</ref> and Wi-Fi passwords<ref>The {{nixos:option|networking.wireless.secretsFile}} option.</ref>, cryptographic private keys<ref>The {{nixos:option|services.openssh.hostKeys}} option.</ref> and secret API tokens<ref>The {{nixos:option|services.mjolnir.accessTokenFile}} option. (among many others)</ref>, among many other examples of secret information. On a standard Linux system, one would store this kind of information in separate files with restricted access rights (only readable by some Unix user) or encrypt them on-disk.  
range from user passwords and Wifi passwords over private keys (ssh, ssl, ...)
to API tokens and similar things. Normally one would store this kind of
information in files with restricted access rights (only readable by some Unix
user) or even encrypt them on disk. Nix and NixOS store a lot of information
in the world-readable Nix store where at least the former is not possible. People who track
their configuration with Git (or use [[Flakes]]) might even want to store
these secrets in the Git repository but still upload the repository somewhere.


In these cases it is necessary to think about a suitable scheme to manage the
While this paradigm is still available to NixOS users, a Nix-managed system is in an unique position to leverage <b>secret managing schemes</b>: special software capable of deploying secret information securely. Instead of writing the secret information unencrypted to a NixOS configuration, the software described below can decrypt the relevant secrets and deploy them at various stages of the NixOS system deployment process. This advanced form of secrets configuration is even more important for NixOS configurations tracked with Git or [[Flakes]], as one will be able to store these encrypted secrets in the Git repository and still be able to upload the repository on the public Internet.
relevant secrets so that they are only readable by the right people or
machines. This page tries to give an overview of different schemes that can
be used and outlines the aims, requirements and implications of each.
 
This page was created from a [https://discourse.nixos.org/t/comparison-of-different-key-secret-managing-schemes/12001/13 discussion on Discourse] and is likely never complete as people will start new projects to handle secrets in Nix(OS).


== Definitions ==
== Definitions ==


The properties of the different schemes that are listed in the table below are
The properties of the different schemes that are listed in the table below are explained in detail here.
explained in detail here.  You are welcome to add more schemes (rows) to the
table; please try to fill in as many of the properties as you can. If you add a new column please try to fill it for all existing rows as much as possible.


; scheme
; Scheme
: the name of the scheme, if possible a link to the official website or source, maybe a short description
: The name of the scheme; if possible also a link to the official website or source.
; pre build
; Pre-build
: Where does the secret reside before the configuration is built? In a file, in a nix expression, in an external database (password manager)? Is it encrypted?
: Where does the secret reside before the configuration is built? In a file? In a Nix expression? In an external database? Is it encrypted?
; build time
; Build time
: what happens at build time, is the secret decrypted or encrypted, which master passwords, passphrases or helper programs are needed
: What happens at build time? Is the secret decrypted or encrypted? Which primary passwords, passphrases or helper programs are needed?
; in the store (on disk)
; In the store
: Is the data stored in {{ic|/nix/store}} after the build? Is it encryptedThis has implications for reproducability. If a secret is not stored in the nix store it might be more difficult to recreate an old system configuration
: Is the data stored in <code>/nix/store</code> after the build? Is it encrypted? This has implications for reproducibility: if a secret is not stored in the Nix store it might be more difficult to recreate an old system configuration.
; system activation
; System activation
: what happens to the data at system activation, that is at boot time or when {{ic|nixos-rebuild switch}} or {{ic|--rollback}} is executed
: What happens to the data at system activation, that is, at boot time or when <code>nixos-rebuild switch</code> or <code>nixos-rebuild switch --rollback</code> is executed.
; runtime
; Runtime
: where does the secret reside after system activation, is it encrypted, who can read it
: Where does the secret reside after system activation? Is it encrypted? Who can read it?
; encryption technology
; Encryption technology
: which programs or tools are used for encryption or decryption of secrets; whether {{ic|ssh-agent}}, {{ic|gpg-agent}} or similar are supported
: Which programs or tools are used for encryption or decryption of secrets? Is <code>ssh-agent</code> or <code>gpg-agent</code> supported?
; "official" project
; Usable project
: whether this is a published software project (maybe even actively developed) or just some notes in a forum or a blog entry
: Whether this is a published software project (maybe even actively developed) or just usage notes in a forum or a blog entry.
; Templating support
: Whether the project supports configuration templates, a way to seamlessly embed secrets in the syntax of a specific configuration file.


== Comparison ==
== Comparison ==


{| class="wikitable"
{| class="wikitable"
|+ Comparison of secret managing schemes
|+ Comparison of secret managing schemes<ref>[https://discourse.nixos.org/t/comparison-of-different-key-secret-managing-schemes/12001/1 Comparison of different key/secret managing schemes] on the NixOS Discourse</ref>
! scheme
! Scheme
! pre build
! Pre-build
! build time
! Build time
! {{ic|/nix/store}} (or on disk)
! In the store
! system activation
! System activation
! runtime
! Runtime
! encryption technology
! Encryption technology
! "official" project
! Usable project
! templating support
! Templating support
! notes
! Additional notes
|-
|-
| [https://nixops.readthedocs.io/en/latest/overview.html#managing-keys {{ic|deployment.keys.}} options of] [[NixOps]]
| <code>[https://nixops.readthedocs.io/en/latest/overview.html#managing-keys <nowiki>deployment.keys.<name></nowiki>]</code> option in [[NixOps]]
| plain value in a nix expression
| Plaintext value in a Nix expression.
|
| N/A
| not stored in the store
| Not stored in the Nix Store.
| ''N/A'' the user has to run {{ic|nixops send-keys}} to create these files after a (manual) reboot (not required after every reboot if destDir is persistent storage)
| N/A<ref group="note">The user has to run <code>nixops send-keys</code> to create these files after a (manual) reboot. (not required after every reboot if <code>destDir</code> is in persistent storage)</ref>
| unencrypted in {{ic|/run/keys/...}} or configured path
| Unencrypted in <code>/run/keys</code> or configured path.
|
| N/A
| yes
| Yes
| no
| No
| "out of band", secret management happens outside of {{ic|nixos-rebuild}}
| Secret management happens outside of <code>nixos-rebuild</code>
|-
|-
| [[agenix]]
| [[Agenix]]
| encrypted raw files, {{ic|agenix}} CLI encrypts with the user and host ssh key
| Encrypted raw files, <code>agenix</code> CLI encrypts with the user and host ssh key
|
| N/A
| encrypted
| Encrypted
| decryption with the host ssh key
| Decryption with the host SSH key.
| unencrypted in {{ic|/run/secrets/...}} or configured path
| Unencrypted in <code>/run/secrets</code> or configured path.
| uses [https://github.com/FiloSottile/age {{ic|age}}] with ssh user and host keys, does not support {{ic|ssh-agent}}
| Uses <code>[https://github.com/FiloSottile/age age]</code> with SSH user and host keys; does not support <code>ssh-agent</code>.
| yes
| Yes
| no
| No
|-
|-
| [https://github.com/oddlama/agenix-rekey agenix-rekey]
| <code>[https://github.com/oddlama/agenix-rekey agenix-rekey]</code>
| extended agenix
| Extended <code>agenix</code>.
|
| N/A
| encrypted
| Encrypted
| decryption with the host ssh key
| Decryption with the host SSH key.
| unencrypted in {{ic|/run/secrets/...}} or configured path
| Unencrypted in <code>/run/secrets</code> or configured path.
| use with agenix, provides more convenience
| Use with <code>agenix</code>; provides more convenience.
| yes
| Yes
| no
| No
|-
|-
| [https://github.com/yaxitech/ragenix ragenix]
| [https://github.com/yaxitech/ragenix ragenix]
| encrypted raw files, {{ic|ragenix}} CLI encrypts with the user and host ssh key
| Encrypted raw files, <code>ragenix</code> CLI encrypts with the user and host SSH keys.
|
| N/A
| encrypted
| Encrypted
| decryption with the host ssh key
| Decryption with the host SSH key.
| unencrypted in {{ic|/run/secrets/...}} or configured path
| Unencrypted in <code>/run/secrets</code> or configured path.
| drop-in replacement of agenix, written in rust and based on age crate
| Drop-in replacement of <code>agenix</code>, written in Rust and based on the <code>age</code> crate.
| yes
| Yes
| no
| No
|-
|-
| [https://github.com/Mic92/sops-nix sops-nix]
| [https://github.com/Mic92/sops-nix sops-nix]
| encrypted with age, pgp or ssh key, support yubikey when gnupg is used, can be stored in git
| Encrypted file with <code>age</code>, PGP or SSH key, support yubikey when gnupg is used, can be stored in a Git repository.
|
| N/A
| encrypted
| Encrypted
| decryption
| Decryption with GPG or <code>age</code> keys.
| stored in {{ic|/run/secrets/}} with configurable permissions
| Stored in <code>/run/secrets</code> with configurable permissions.
| uses [https://github.com/mozilla/sops sops]
| Uses [https://github.com/getsops/sops SOPS].
| yes
| Yes
| yes
| Yes
| can be used with [[NixOps]], {{ic|nixos-rebuild}}, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus]
| Can be used with [[NixOps]], <code>nixos-rebuild</code>, [https://github.com/krebs/krops/ krops], [https://github.com/DBCDK/morph morph], [https://github.com/Infinisil/nixus nixus] and possibly other deployment tools.
|-
|-
| [https://github.com/krebs/krops krops]
| [https://github.com/krebs/krops krops]
| stored in [https://www.passwordstore.org/ the password store]
| Stored in [https://www.passwordstore.org/ the password store].
|
|
|
|
|
|
|
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
| yes
| no
|
|
| Uses [https://www.passwordstore.org/ the password store] (aka <code>pass</code>) which uses GPG.
| Yes
| No
|-
|-
| [https://github.com/tweag/terraform-nixos terraform-nixos]
| [https://github.com/tweag/terraform-nixos terraform-nixos]
| value of a nix expression
| Plaintext value in a Nix expression.
|
|
| stored in {{ic|/var/keys/...}} owned by the {{ic|keys}} unix group
|
|
|
|
| Stored in <code>/var/keys</code> owned by the <code>keys</code> Unix group.
|
|
| yes
| Yes
| no
| No
| see [https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs]
| See the <code>[https://github.com/tweag/terraform-nixos/tree/master/deploy_nixos#inputs terraform-nixos]</code> documentation.
|-
|-
| [https://github.com/platonic-systems/secrix secrix]
| [https://github.com/platonic-systems/secrix secrix]
| encrypted raw files, like {{ic|agenix}}
| Encrypted raw files, like <code>agenix</code>.
|
|
| encrypted
| Encrypted
| decryption with the host ssh key
| Decryption with the host SSH key.
| unencrypted in configured path in {{ic|/run}}
| Unencrypted in configured path in <code>/run</code>.
| uses [https://github.com/FiloSottile/age {{ic|age}}] by default with ssh user and host keys, does not support {{ic|ssh-agent}}
| Uses <code>[https://github.com/FiloSottile/age age]</code> by default with SSH user and host keys; does not support <code>ssh-agent</code>.
| yes
| Yes
| no
| No
| Focuses on trying to keep secrets decrypted for a minimal amount of time
| Focuses on trying to keep secrets decrypted for a minimal amount of time.
|-
|-
| [https://github.com/milieuim/vaultix vaultix]
| [https://github.com/milieuim/vaultix vaultix]
| encrypted raw files like agenix
| Encrypted raw files like agenix
|
|
| encrypted
| Encrypted
| decryption with the host ssh key
| Decryption with the host SSH key.
| unencrypted in specific paths
| Unencrypted in specific paths.
| powered by [https://docs.rs/age/latest/age/ {{ic|rust age crate}}]
| Powered by the <code>[https://docs.rs/age/latest/age/ age]</code> Rust crate.
| yes
| Yes
| yes
| Yes
|-
|-
|[https://github.com/brizzbuzz/opnix brizzbuzz/opnix]
| [https://github.com/brizzbuzz/opnix brizzbuzz/opnix]
|
|
|
|
Line 157: Line 143:
|
|
|
|
|1password
| 1password
|
|
|
|
|
|
|-
|-
|[https://github.com/mrjones2014/opnix mrjones2014/opnix]
| [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog Entry]: wrapper around <code>pass</code> based on <code>[https://github.com/shlevy/nix-plugins nix-plugins]</code>.
|
| Stored in [https://www.passwordstore.org/ the password store].
| Data is retrieved/decrypted with <code>pass</code> during evaluation time.
| Unencrypted in the store.
|
|
|
|
| Uses [https://www.passwordstore.org/ the password store] (aka <code>pass</code>) which uses GPG.
| No
| No
|
|
|
|1password
|
|
|
|-
! scheme
! pre build
! build time
! {{ic|/nix/store}} (or on disk)
! system activation
! runtime
! encryption technology
! "official" project
! templating support
! notes
|-
|-
| [https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20 Blog entry 1]
| <code>builtins.readfile</code>, <code>builtins.exec</code><ref>[https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 Using an external secret file in a Nix sandboxed build] on the NixOS Discourse</ref>
| plain text file (unencrypted), can be stored in git
| <code>builtins.readfile</code> can read any file, <code>builtins.exec</code> can execute commands and thus query any kind of database or password manager.
| encryption
| These functions return values in a Nix expression; it is up to the user what happens to these values in the NixOS configuration.
| encrypted in the store
| See "build time"
| decrypted by a systemd unit
| See "build time"
|
| See "build time"
| uses [https://github.com/FiloSottile/age age] and the ssh host key of the target machine
| These functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic".
| no, [https://christine.website/blog/nixos-encrypted-secrets-2021-01-20 blog], and [https://github.com/Xe/nixos-configs/blob/master/common/crypto/default.nix config repository]
| No
| no
| No
| Warning: plaintext is unencrypted in the nix store of the deployment machine
| The referenced NixOS Discourse discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all.
|-
|-
| [https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html Blog entry 2]
! Scheme
wrapper around {{ic|pass}} based on [https://github.com/shlevy/nix-plugins nix-plugins]
! Pre-build
| stored in [https://www.passwordstore.org/ the password store]
! Build time
| data is retrieved/decrypted with {{ic|pass}} during evaluation time
! In the store
| unencrypted in the store
! System activation
|
! Runtime
|
! Encryption technology
| uses [https://www.passwordstore.org/ the password store] (aka {{ic|pass}}) which uses gpg
! Usable project
| no
! Templating support
| no
! Additional notes
|
|-
| {{ic|builtins.readfile}}
{{ic|builtins.exec}}
discussion [https://discourse.nixos.org/t/using-an-external-secret-file-in-a-nix-sandboxed-build/3274 on discourse] about build time secrets
| {{ic|builtins.readfile}} can read any file, {{ic|builtins.exec}} can execute commands and thus query any kind of database or password manager etc.
| these functions return values in a nix expression, it is up to the user what happens to these values in {{ic|configuration.nix}}
| see "build time"
| see "build time"
| see "build time"
| these functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic"
| no
| no
| the linked discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all
|-
! scheme
! pre build
! build time
! {{ic|/nix/store}} (or on disk)
! system activation
! runtime
! encryption technology
! "official" project
! templating support
!'''notes'''
|}
|}
==Notes==
<references group="note" />
==References==
<references />


[[Category:Guide]]
[[Category:Guide]]
Retrieved from "https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes"