[Nix-dev] store & passwords - once again

Mathijs Kwik mathijs at bluescreen303.nl
Thu Jul 26 10:32:27 CEST 2012


On Thu, Jul 26, 2012 at 9:09 AM, Michael Raskin <7c6f434c at mail.ru> wrote:

> >Right now, I need to distribute and sync my "secure files" to multiple
> >machines. If I could just store the mysql password in the store,
> >gpg encrypted, that would make things a lot easier.
> >As files can be encrypted for multiple receivers, I can manage
> >permissions through that mechanism and just store everything in 1 place
> >(channel).
> >
> >Then, during activation of a new configuration, when some password is
> >needed (like when creating a mysql database), "gpg -d" would give a
> >passphrase prompt to the person who has chosen this config.
> >To avoid interactivity, a passphrase-less key can be used (granted, then
> >we're back to the current security-level where gaining root/physical
> >access gives you all plain passwords), or gpg-agent.
>
> So what we want is to make some storage for secrets that is accessible
> only to the associated builder (so that the secrets are not stored in
> derivations)?
>

Not sure if this is what I propose.
Depends on what you mean by "builder". If you mean the script that builds a
derivation, then no.
I want to store encrypted (safe to be readable by everyone) files in the
store and it's up to the "builder" (person who gives the command to
activate a config) to make sure he has the decryption key.

This can be a system-wide key, or more fine-grained (organisational units),
or even separate per-secret-per-machine keys.
Indeed some on-the-fly scheme that really acts per build (derivation) is
probably possible, but I don't think any secrets are needed during build,
but rather during activation.

I think a in-plain-sight solution using encryption won't require much
changes to the way the nix (store) currently works.

Extending this idea a little bit:
We can probably have some key management daemon listening on a socket (like
gpg-agent/ssh-agent) or network port (for central management). Then just
point nixos to this socket through a config setting or env var
(NIX_SECRETS_SOCKET) when activating and have it ask for keys there. (the
agent will then prompt/log that the key for "mysql-machine3" is being
requested)




> Encrypting/decrypting per se are easy.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20120726/e400c0dd/attachment.html 


More information about the nix-dev mailing list