Stream: nixos

Topic: secrets/password management


view this post on Zulip Shivaraj B H (Mar 17 2024 at 15:00):

I am having a tough time choosing a secrets/password manager. If I want to manage secrets, something like sops or age or git-crypt should work well, but I am not super happy using it as I want a solution that works out to be both my password manager (on mobile and browser) and secrets manager.

I spent quite some time researching for the ideal tool, came across hashicorp vault, bitwarden secrets manager (this works out well as I already self-host vaultwarden, but unlike the password manager, this is proprietary). To be honest, all these solutions seem bloated to me.

Password/secrets management should not be this hard, and today I came across this simple tool that helps manage passwords with minimal dependencies: https://git.zx2c4.com/password-store/about/. There is a problem though, for every new machine that I deploy, I will have to setup the GPG keys for the first time. I know gpg-agent exists, but if it has to get authorised to decrypt from a central server, you will again need ssh agent forwarding for this.

I don’t think I am ready to maintain another GPG key now, I would like to just use my SSH key to encrypt the password/secrets file in git tracked repo and the hosts I deploy on can use ssh-agent to be authorised to decrypt these files on startup and place them in files with proper user and group permissions. And I am sure using user and group permissions, we can achieve secrets management for large organisations, where different subset of users have permissions to access different keys.

I am trying to solve the following problems with a simple secrets/password manager:

view this post on Zulip Shivaraj B H (Mar 17 2024 at 15:02):

There might be flaws in the idea, so I would like some feedback.

Also, I will be using this topic to keep track of my progress.

view this post on Zulip Shivaraj B H (Mar 17 2024 at 15:03):

If I am going in the right direction, I would like to spend some time over weekends trying to build the tool that satisfies the points above

view this post on Zulip Srid (Mar 17 2024 at 15:24):

Looks like an interesting project indeed, I may consider using it even.

Are you looking to design something that is cross-platform (eg: on nix-darwin) or just NixOS?

view this post on Zulip Shivaraj B H (Mar 17 2024 at 15:30):

cross-platform, yes!

view this post on Zulip Shivaraj B H (Mar 17 2024 at 15:35):

Also in the future maybe re-use existing clients of password-store to also build android, IoS and desktop clients to completely replace even bitwarden/vaultwarden. Perhaps I could just use dioxus to build these clients?

view this post on Zulip Srid (Mar 17 2024 at 15:35):

I have used pass in the past. https://srid.ca/pass

But https://github.com/serokell/vault-secrets looks interesting, I may play with it via https://github.com/1Password/vault-plugin-secrets-onepassword since I already use 1Password.

view this post on Zulip Shivaraj B H (Mar 17 2024 at 15:48):

https://github.com/serokell/vault-secrets also came up while I was looking, but again its tied to an organisation, they might end up doing something like bitwarden did with bitwarden secrets manager, which is fine if you think about the business aspects. And also vault is only for secrets.

I just think that this problem should be solved effectively in the simplest way possible and be fully open.

view this post on Zulip Shivaraj B H (Mar 17 2024 at 15:48):

Another thing I don’t like about hashicorp vault is that their tutorial is completely focused on specific cloud providers, which I understand is because of how the industry functions, but I would have liked if they had tutorials for native setup and configuration.

view this post on Zulip Tim DeHerrera (Mar 17 2024 at 22:23):

I still use pass for account passwords at least, and currently rely on colmena to place secrets completely outside of nox evaluation. Mostly from one of my few pass repos.

Although it's still not super ideal, it's good enough not to bother with it for me ATM. I have thought about this problem for a while though. At work we used to use vault to distribute secrets throughout the cluster but it's a bit overkill for my little lab network I think

view this post on Zulip Srid (Jun 19 2024 at 15:09):

agenix

Surprised to see this never came up. Better than sops-nix in some respects (nix-darwin support; direct use of SSH keys and very simple).

There's also a Rust variant: https://github.com/yaxitech/ragenix

view this post on Zulip Andreas (Jun 19 2024 at 17:31):

I mean yeah, if you go with age as a backend anyways, it's a decent alternative to sops-nix I guess.

view this post on Zulip John Bargman (Jul 06 2024 at 07:22):

Actually, may I suggest Secrix https://github.com/Platonic-Systems/secrix

It's a home-brew solution made by a college of mine, usage is amazingly clear in my opinon:
Here is an example of me using it for NextCloud.

https://github.com/DarthPJB/NixOS-Configuration/blob/4595f79f7b771c14ea1c43e16b5d179a6ddd4c32/server_services/nextcloud.nix#L7

view this post on Zulip Andreas (Jul 06 2024 at 08:32):

interesting, so many more solutions :smile:

view this post on Zulip Andreas (Jul 06 2024 at 08:32):

what's the advantage over agenix over sops-nix?

view this post on Zulip Srid (Jul 06 2024 at 15:27):

John Bargman said:

may I suggest Secrix

Does it work on macOS?

view this post on Zulip Srid (Jul 06 2024 at 15:28):

All secrets are stored in virtual memory and do not end up on disk.

What do you do after a reboot? Re-deploy (nixos-rebuild switch)?


Last updated: Jan 18 2025 at 04:45 UTC