Comparison of secret managing schemes

Introduction

Some NixOS modules require the use of secret information to function correctly. This information can include user^[1] and Wi-Fi passwords^[2], cryptographic private keys^[3] and secret API tokens^[4], among many other examples of secret information. On a standard Linux system, one would store this kind of information in separate files with restricted access rights (only readable by some Unix user) or encrypt them on-disk.

While this paradigm is still available to NixOS users, a Nix-managed system is in an unique position to leverage secret managing schemes: special software capable of deploying secret information securely. Instead of writing the secret information unencrypted to a NixOS configuration, the software described below can decrypt the relevant secrets and deploy them at various stages of the NixOS system deployment process. This advanced form of secrets configuration is even more important for NixOS configurations tracked with Git or Flakes, as one will be able to store these encrypted secrets in the Git repository and still be able to upload the repository on the public Internet.

Definitions

The properties of the different schemes that are listed in the table below are explained in detail here.

Scheme: The name of the scheme; if possible also a link to the official website or source.
Pre-build: Where does the secret reside before the configuration is built? In a file? In a Nix expression? In an external database? Is it encrypted?
Build time: What happens at build time? Is the secret decrypted or encrypted? Which primary passwords, passphrases or helper programs are needed?
In the store: Is the data stored in /nix/store after the build? Is it encrypted? This has implications for reproducibility: if a secret is not stored in the Nix store it might be more difficult to recreate an old system configuration.
System activation: What happens to the data at system activation, that is, at boot time or when nixos-rebuild switch or nixos-rebuild switch --rollback is executed.
Runtime: Where does the secret reside after system activation? Is it encrypted? Who can read it?
Encryption technology: Which programs or tools are used for encryption or decryption of secrets? Is ssh-agent or gpg-agent supported?
Usable project: Whether this is a published software project (maybe even actively developed) or just usage notes in a forum or a blog entry.
Templating support: Whether the project supports configuration templates, a way to seamlessly embed secrets in the syntax of a specific configuration file.

Comparison

Comparison of secret managing schemes^[5]
Scheme	Pre-build	Build time	In the store	System activation	Runtime	Encryption technology	Usable project	Templating support	Additional notes
`deployment.keys.<name>` option in NixOps	Plaintext value in a Nix expression.	N/A	Not stored in the Nix Store.	N/A^{[note 1]}	Unencrypted in `/run/keys` or configured path.	N/A	Yes	No	Secret management happens outside of `nixos-rebuild`
Agenix	Encrypted raw files, `agenix` CLI encrypts with the user and host ssh key	N/A	Encrypted	Decryption with the host SSH key.	Unencrypted in `/run/secrets` or configured path.	Uses `age` with SSH user and host keys; does not support `ssh-agent`.	Yes	No
`agenix-rekey`	Extended `agenix`.	N/A	Encrypted	Decryption with the host SSH key.	Unencrypted in `/run/secrets` or configured path.	Use with `agenix`; provides more convenience.	Yes	No
ragenix	Encrypted raw files, `ragenix` CLI encrypts with the user and host SSH keys.	N/A	Encrypted	Decryption with the host SSH key.	Unencrypted in `/run/secrets` or configured path.	Drop-in replacement of `agenix`, written in Rust and based on the `age` crate.	Yes	No
sops-nix	Encrypted file with `age`, PGP or SSH key, support yubikey when gnupg is used, can be stored in a Git repository.	N/A	Encrypted	Decryption with GPG or `age` keys.	Stored in `/run/secrets` with configurable permissions.	Uses SOPS.	Yes	Yes	Can be used with NixOps, `nixos-rebuild`, krops, morph, nixus and possibly other deployment tools.
krops	Stored in the password store.					Uses the password store (aka `pass`) which uses GPG.	Yes	No
terraform-nixos	Plaintext value in a Nix expression.				Stored in `/var/keys` owned by the `keys` Unix group.		Yes	No	See the `terraform-nixos` documentation.
secrix	Encrypted raw files, like `agenix`.		Encrypted	Decryption with the host SSH key.	Unencrypted in configured path in `/run`.	Uses `age` by default with SSH user and host keys; does not support `ssh-agent`.	Yes	No	Focuses on trying to keep secrets decrypted for a minimal amount of time.
vaultix	Encrypted raw files like agenix		Encrypted	Decryption with the host SSH key.	Unencrypted in specific paths.	Powered by the `age` Rust crate.	Yes	Yes
brizzbuzz/opnix						1password
Blog Entry: wrapper around `pass` based on `nix-plugins`.	Stored in the password store.	Data is retrieved/decrypted with `pass` during evaluation time.	Unencrypted in the store.			Uses the password store (aka `pass`) which uses GPG.	No	No
`builtins.readfile`, `builtins.exec`^[6]	`builtins.readfile` can read any file, `builtins.exec` can execute commands and thus query any kind of database or password manager.	These functions return values in a Nix expression; it is up to the user what happens to these values in the NixOS configuration.	See "build time"	See "build time"	See "build time"	These functions just read files or execute commands, they do not provide anything inherently "secure" or "cryptographic".	No	No	The referenced NixOS Discourse discussion is about a signing key that is only needed during build time and should not be stored in the nix store at all.
Scheme	Pre-build	Build time	In the store	System activation	Runtime	Encryption technology	Usable project	Templating support	Additional notes

Notes

↑ The user has to run nixops send-keys to create these files after a (manual) reboot. (not required after every reboot if destDir is in persistent storage)

References

↑ The users.users.<name>.hashedPasswordFile option.
↑ The networking.wireless.secretsFile option.
↑ The services.openssh.hostKeys option.
↑ The services.mjolnir.accessTokenFile option. (among many others)
↑ Comparison of different key/secret managing schemes on the NixOS Discourse
↑ Using an external secret file in a Nix sandboxed build on the NixOS Discourse

[6] The user has to run nixops send-keys to create these files after a (manual) reboot. (not required after every reboot if destDir is in persistent storage)

[1] The users.users.<name>.hashedPasswordFile option.

[2] The networking.wireless.secretsFile option.

[3] The services.openssh.hostKeys option.

[4] The services.mjolnir.accessTokenFile option. (among many others)

[5] Comparison of different key/secret managing schemes on the NixOS Discourse

[7] Using an external secret file in a Nix sandboxed build on the NixOS Discourse

[1]

[2]

[3]

[4]

[5]

[note 1]

[6]