[Nix-dev] NixOS issue: Passwords and Nix store

[Michael Raskin]

>Hi list,
>
>I think most of you are aware of the problem.  The problem is that
>the content of the nix store is public.  So if password are part of
>derivations or parts of the build result, they would appear in as
>readable inside the nix store.
>
>In NixOS, to work around this issue, we have to either pass filenames
>with double quotes, to escape from the copy of the file into the nix
>store.  This has 2 disadvantages. The first one is that most of the
>options do not ensure that you cannot give a path to them.  The second
>one is that this prevent us for creating abstractions over the content
>of the configuration file in order to ensure consistence of configuration files.
>
>We have multiple solutions to handle this problem.

n+1/ encryption. See gw6c service. On launch, you access properly secured 
private key, optionally check that the public key in store matches, and 
write real config with sane permissions by decrypting what is in store.