I am having a tough time choosing a secrets/password manager. If I want to manage secrets, something like sops or age or git-crypt should work well, but I am not super happy using it as I want a solution that works out to be both my password manager (on mobile and browser) and secrets manager.
I spent quite some time researching for the ideal tool, came across hashicorp vault, bitwarden secrets manager (this works out well as I already self-host vaultwarden, but unlike the password manager, this is proprietary). To be honest, all these solutions seem bloated to me.
Password/secrets management should not be this hard, and today I came across this simple tool that helps manage passwords with minimal dependencies: https://git.zx2c4.com/password-store/about/. There is a problem though, for every new machine that I deploy, I will have to setup the GPG keys for the first time. I know gpg-agent exists, but if it has to get authorised to decrypt from a central server, you will again need ssh agent forwarding for this.
I don’t think I am ready to maintain another GPG key now, I would like to just use my SSH key to encrypt the password/secrets file in git tracked repo and the hosts I deploy on can use ssh-agent to be authorised to decrypt these files on startup and place them in files with proper user and group permissions. And I am sure using user and group permissions, we can achieve secrets management for large organisations, where different subset of users have permissions to access different keys.
I am trying to solve the following problems with a simple secrets/password manager:
There might be flaws in the idea, so I would like some feedback.
Also, I will be using this topic to keep track of my progress.
If I am going in the right direction, I would like to spend some time over weekends trying to build the tool that satisfies the points above
Looks like an interesting project indeed, I may consider using it even.
Are you looking to design something that is cross-platform (eg: on nix-darwin) or just NixOS?
cross-platform, yes!
Also in the future maybe re-use existing clients of password-store to also build android, IoS and desktop clients to completely replace even bitwarden/vaultwarden. Perhaps I could just use dioxus to build these clients?
I have used pass
in the past. https://srid.ca/pass
But https://github.com/serokell/vault-secrets looks interesting, I may play with it via https://github.com/1Password/vault-plugin-secrets-onepassword since I already use 1Password.
https://github.com/serokell/vault-secrets also came up while I was looking, but again its tied to an organisation, they might end up doing something like bitwarden did with bitwarden secrets manager, which is fine if you think about the business aspects. And also vault is only for secrets.
I just think that this problem should be solved effectively in the simplest way possible and be fully open.
Another thing I don’t like about hashicorp vault is that their tutorial is completely focused on specific cloud providers, which I understand is because of how the industry functions, but I would have liked if they had tutorials for native setup and configuration.
I still use pass for account passwords at least, and currently rely on colmena to place secrets completely outside of nox evaluation. Mostly from one of my few pass repos.
Although it's still not super ideal, it's good enough not to bother with it for me ATM. I have thought about this problem for a while though. At work we used to use vault to distribute secrets throughout the cluster but it's a bit overkill for my little lab network I think
Surprised to see this never came up. Better than sops-nix in some respects (nix-darwin support; direct use of SSH keys and very simple).
There's also a Rust variant: https://github.com/yaxitech/ragenix
I mean yeah, if you go with age as a backend anyways, it's a decent alternative to sops-nix I guess.
Actually, may I suggest Secrix https://github.com/Platonic-Systems/secrix
It's a home-brew solution made by a college of mine, usage is amazingly clear in my opinon:
Here is an example of me using it for NextCloud.
interesting, so many more solutions :smile:
what's the advantage over agenix over sops-nix?
John Bargman said:
may I suggest Secrix
Does it work on macOS?
All secrets are stored in virtual memory and do not end up on disk.
What do you do after a reboot? Re-deploy (nixos-rebuild switch
)?
Last updated: Jan 18 2025 at 04:45 UTC