I currently use agenix to manage secrets files for various services. The encrypted files are included in my nix repo, and I can point to them for any given service. But I’m curious if agenix can be used for user passwords too.
Currently I use users.users.<name>.hashedPasswordFile for each user, so in theory I could point that file path to an agenix path rather than the current hardcoded file path, right? I assume I would need to allow agenix to (re-)encrypt the password file to make it available at runtime.
My questions are:
- Is this safe (or safe enough)? I know it’s common to include age-encrypted files in git repos, but would a user password file be too risky, even when encrypted the same way?
- I’m pretty sure agenix files get decrypted before user logins, is there anything else that would prevent these from being used for user passwords?