NixOS and Secrets
8 points by polywolf
8 points by polywolf
I see a note that sops-nix and agenix don’t store the unencrypted secret on disk, but does that provide any practical benefit?
The encrypted secret and its key both are on disk, right? Or is one of them stored inside of a TPM or something?
I’m just starting to use Nix (for selfhosting services) and I’ve been using the “scp into the filesystem” route since it is simple and not much of a burden on my tiny deployments.
Edit: after a little research, it does sound like you can secure the SSH private key using a TPM. I wonder if that can be done from a VM… edit again: sounds like there can be “vTPM” support. I guess I answered my own question, then!
On my servers I use sips-nix, for my threat model is more than enough and I find it works well. Now I’m curious about storing the ssh private key in a TPM.
For servers, there is also then NixOps approach. Have a look at what Colmena does: https://colmena.cli.rs/0.4/features/keys.html
The idea is to have a trusted machine that holds the secrets and can push them to remote servers. Kind of what you do with scp, but with more nix to drive the process.
The encrypted secret and its key both are on disk, right? Or is one of them stored inside of a TPM or something?
In Agenix, by default, the encrypted secrets are decrypted using /etc/ssh/ssh_host_ed25519_key and then put into ramfs mounted at /run/agenix.d. So yes, the encrypted content and the encryption key, and unencrypted content are all available in the filesystem.
I see a note that sops-nix and agenix don’t store the unencrypted secret on disk, but does that provide any practical benefit?
If it is on disk, and someone walks away with the disk, they have a much higher chance of getting to the secret.