Agenix - manage NixOS secrets - public beta

agenix - manage NixOS secrets

This project has not be audited by a security professional.

agenix is a commandline tool for managing secrets encrypted with your existing SSH keys. It includes a NixOS module age for adding encrypted secrets into the Nix store and decrypting them.

Problem and solution

All files in the Nix store are readable by any system user, so it is not a suitable place for including cleartext secrets. Many existing tools (like NixOps deployment.keys) deploy secrets separately from nixos-rebuild, making deployment, caching, and auditing more difficult. Out-of-band secret management is also less reproducible.

agenix solves these issues by using your pre-existing SSH key infrastructure and age to encrypt secrets into the Nix store. Secrets are decrypted using an SSH host private key during NixOS system activation.

Features

  • Secrets are encrypted with existing SSH keys
  • No GPG
  • Very little code, so it should be easy for you to audit
  • Encrypted secrets are stored in the Nix store, so a separate distribution mechanism is not necessary

Public Beta

Today, I’ve released version 0.9 which is the first public beta release. Right now, I may be the only user of agenix. I use it at home to manage all my secrets. Please take a look at the code, provide feedback, and try it out!

Shout out to @Mic92 whose sops-nix is probably much more production-ready™.

9 Likes

This looks good, thanks. I already have pre-existing GPG key infrastructure, but I appreciate the simplicity of age.

I am wondering, is it possible to have forward secrecy for secrets in /nix/store? So each system generation would have secrets encrypted with a unique session key, and if the private key were compromised, it could not be used to decrypt secrets from an older generation. Perhaps this would make rollback difficult though.

This is a topic which I’m sadly not well informed on, but keeping encrypted secrets in public-ish places such as /nix/store or git repos makes me uneasy.

1 Like

Thanks for the feedback!

I’m not sure how this would work. If the session key is also in the nix store, it doesn’t provide any protection, and if it isn’t you’d be back to deploying secrets out of band.

I am also planning on exposing sops age support soonish, but its good to have multiple alternatives.

I think the current sops age support only supports encryption with age keys, which may be nicer to manage than GPG keys, but I think using an existing OpenSSH key infrastructure can be nice in certain setups. Unfortunately, age and rage both do not support an ssh-agent, so keys with passphrases are very annoying to use. Hopefully I can work on mitigating that issue.

1 Like

Yes. My plan was also to import ed25519 ssh host keys on servers, just like I do for rsa ssh keys with sops-nix.

1 Like