[Nix-dev] store & passwords - once again
Michael Raskin
7c6f434c at mail.ru
Thu Jul 26 09:09:12 CEST 2012
>Right now, I need to distribute and sync my "secure files" to multiple
>machines. If I could just store the mysql password in the store,
>gpg encrypted, that would make things a lot easier.
>As files can be encrypted for multiple receivers, I can manage
>permissions through that mechanism and just store everything in 1 place
>(channel).
>
>Then, during activation of a new configuration, when some password is
>needed (like when creating a mysql database), "gpg -d" would give a
>passphrase prompt to the person who has chosen this config.
>To avoid interactivity, a passphrase-less key can be used (granted, then
>we're back to the current security-level where gaining root/physical
>access gives you all plain passwords), or gpg-agent.
So what we want is to make some storage for secrets that is accessible
only to the associated builder (so that the secrets are not stored in
derivations)?
Encrypting/decrypting per se are easy.
More information about the nix-dev
mailing list