Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret management and deployment (current good enough 😁 practices)? #22

Closed
con-f-use opened this issue Apr 7, 2023 · 4 comments
Closed

Secret management and deployment (current good enough 😁 practices)? #22

con-f-use opened this issue Apr 7, 2023 · 4 comments

Comments

@con-f-use
Copy link

con-f-use commented Apr 7, 2023
edited
Loading

I know this is a broad topic and there is no one way to skin this cat. It would be nice though to hear from veteran nix user what the current widely-used ways are to get secrets to deployed machines. Basically, I'd like an entry point for people who feel lost or overwhelmed with secret management, so they understand the issues and options better and can navigate their way to what is a good option for them.

Loose points:

  • Why is it hard to do on NixOS?
  • Why do NixOS and deploy tools not have a built-in option for secret management and secret deployment?
  • Some NixOS modules don't play nice when secrets are not specified at build-time, any workarounds?
  • On single user systems it's probably okay if secrets end up in nix store (though not ideal), right?
    • This one goes a little too deep: Even if it is encrypted, if something (by accident) ends up on a binary cache / substitutor, we have a problem with forward security if the encryption method ever becomes breakable because the secret text might also live long enough there and retain it's value. Is there a solution for secret rotation?
  • How can you double-check (absolutely make sure) your secret doesn't end up in the store?
  • Some solutions, I've come across: systemd.LoadCredential (docs PR), sops-nix, agenix, vault-secrets
  • The last one is a bit "cloud solution-y". Cloud secret delivery is a whole different Pandora's Box, but if there's time, could you talk about that, too?
@con-f-use
Copy link
Author

con-f-use commented Apr 19, 2023
edited
Loading

To anyone reading this, we got exactly to the systemd.LoadCredential(s) part in nix hour 24 and were able to resolve the issues seen there off-camera, resulting in this gem: https://github.com/tweag/nix-hour/tree/master/24 . We learned a bit about how systemd services signal their readiness and how their permissions to do so are managed.

The rest of the topic might show up in future nix hours, though Silvan said he's not an expert and is thus a bit reluctant.

@infinisil
Copy link
Member

This is a nice page! https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes

@0x4A6F
Copy link

0x4A6F commented May 12, 2023

Some information is also collected here open for improvement.

@infinisil
Copy link
Member

I think this is reasonably covered in a recent blog post: https://discourse.nixos.org/t/handling-secrets-in-nixos-an-overview-git-crypt-agenix-sops-nix-and-when-to-use-them/35462

Since I don't know too much about this myself, I'll consider this satisfactory for now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@0x4A6F @con-f-use @infinisil