Agenix - manage NixOS secrets - public beta

ryantm · December 18, 2020, 6:18pm

agenix - manage NixOS secrets

This project has not be audited by a security professional.

agenix is a commandline tool for managing secrets encrypted with your existing SSH keys. It includes a NixOS module age for adding encrypted secrets into the Nix store and decrypting them.

Problem and solution

All files in the Nix store are readable by any system user, so it is not a suitable place for including cleartext secrets. Many existing tools (like NixOps deployment.keys) deploy secrets separately from nixos-rebuild, making deployment, caching, and auditing more difficult. Out-of-band secret management is also less reproducible.

agenix solves these issues by using your pre-existing SSH key infrastructure and age to encrypt secrets into the Nix store. Secrets are decrypted using an SSH host private key during NixOS system activation.

Features

Secrets are encrypted with existing SSH keys
- system public keys via ssh-keyscan
- can use public keys available on GitHub for users (for example, https://github.com/ryantm.keys)
No GPG
Very little code, so it should be easy for you to audit
Encrypted secrets are stored in the Nix store, so a separate distribution mechanism is not necessary

Public Beta

Today, I’ve released version 0.9 which is the first public beta release. Right now, I may be the only user of agenix. I use it at home to manage all my secrets. Please take a look at the code, provide feedback, and try it out!

Shout out to @Mic92 whose sops-nix is probably much more production-ready™.

rvl · December 18, 2020, 11:53pm

This looks good, thanks. I already have pre-existing GPG key infrastructure, but I appreciate the simplicity of age.

I am wondering, is it possible to have forward secrecy for secrets in /nix/store? So each system generation would have secrets encrypted with a unique session key, and if the private key were compromised, it could not be used to decrypt secrets from an older generation. Perhaps this would make rollback difficult though.

This is a topic which I’m sadly not well informed on, but keeping encrypted secrets in public-ish places such as /nix/store or git repos makes me uneasy.

ryantm · December 19, 2020, 12:23am

Thanks for the feedback!

I’m not sure how this would work. If the session key is also in the nix store, it doesn’t provide any protection, and if it isn’t you’d be back to deploying secrets out of band.

Mic92 · December 19, 2020, 7:42pm

I am also planning on exposing sops age support soonish, but its good to have multiple alternatives.

ryantm · December 19, 2020, 8:35pm

I think the current sops age support only supports encryption with age keys, which may be nicer to manage than GPG keys, but I think using an existing OpenSSH key infrastructure can be nice in certain setups. Unfortunately, age and rage both do not support an ssh-agent, so keys with passphrases are very annoying to use. Hopefully I can work on mitigating that issue.

Mic92 · December 19, 2020, 8:37pm

Yes. My plan was also to import ed25519 ssh host keys on servers, just like I do for rsa ssh keys with sops-nix.