[Nix-dev] store & passwords - once again

[Mathijs Kwik]

Marc Weber <marco-oweber at gmx.de> writes:

> Right now you should not put passwords into the store, because its world
> readable by default. The common workaround is to store files at /root
> and put the path into the /store instead, right?
>
> What about creating a new primop which allows to write arbitrary files?
>
> Then you could do this:
>
>   services.foo = {
>     passwordFile = builtins.__writeArbitraryFile "/root/password-for-xy" 'top-secret-password'; # should return the path
>   }
>
> This way it could be ensured that the files have the correct format -
> and no passwords would be written to the store, right?
>
> Does this make any sense?

It sounds useful indeed.
However, I don't like the idea of storing passwords and secrets
anywhere. Indeed the store itself is readable by all, so /root or some
other dir with 700 root:root is way better, but all in all, I would
rather use encryption or some keyring thing.

Right now, I need to distribute and sync my "secure files" to multiple
machines. If I could just store the mysql password in the store, 
gpg encrypted, that would make things a lot easier.
As files can be encrypted for multiple receivers, I can manage
permissions through that mechanism and just store everything in 1 place
(channel). 

Then, during activation of a new configuration, when some password is
needed (like when creating a mysql database), "gpg -d" would give a
passphrase prompt to the person who has chosen this config.
To avoid interactivity, a passphrase-less key can be used (granted, then
we're back to the current security-level where gaining root/physical
access gives you all plain passwords), or gpg-agent.

Mathijs

>
> It would be useful for creating mysql databases and the like.
>
> Marc Weber
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev