Choosing a secrets management approach

I am seeking to revise my secrets management approach.

My aspirations are:

  • Spend less time inputting ssh-key passwords
  • Spend less time inputting my lastpass password
  • automate systemd secrets access
  • generally make passwords/ssh easier
  • automate secrets access to new nixos/nix installations
  • maximize safety in the short and long term

Presently I use lastpass, though I’m seeing that some online do not find it trustworthy.

I wonder if I should migrate to an entirely different password manager.

I’m also seeing that sops-nix and agenix do not make a priority of utilizing password managers.

My learning curve to secrets management is pretty steep at the moment, so I don’t really know which trees I should be barking up, even though I’ve been researching this for a few days.

I know that this is a complicated problem to solve, and that there many ways to solve it… but what reccommendations might you offer me? I’d be extremely grateful for some direction!

1 Like

For my gpg and ssh keys, I have them on a yubikey, using a short passkey for unlock, here is an article to do the setup in a secure way (offline): GitHub - drduh/YubiKey-Guide: Guide to using YubiKey for GnuPG and SSH

I use sops-nix for my servers but not my workstation, there is some cases where I have GPG encrypted secrets in my nix store, they are decrypted when needed on runtime (by example my wireguard private key).

Don’t know well lastpass but I’m using a self-hosted bitwarden (with 2FA) for a lot a stuff, you can configure how long it stays unlocked.

I couldn’t answer the other questions, but:

Lastpass had a pretty nasty security breach, including billing information, access data, emails, and site URLs in plaintext, and a previous hack exposed encrypted master passwords. Given multiple such failures, I would not consider it secure. Thankfully exporting all your data into a CSV from Lastpass is pretty straightforward, and any decent manager should be able to import a CSV (I’ve had good success with vaultwarden).

3 Likes

thanks for the help y’all! I’ve done some more digging and have decided to opt for sops-nix, and to migrate to another password manager. I’m excited for the undertaking

3 Likes