How can I delete sensitive information copied into `/nix/store` by flake?

phaeseeKe5Ee · November 9, 2024, 3:32pm

I use flake.nix and nix-direnv in a directory to write some latex documents in it, which contains some secret information, say mysecret.tex. I use flake because I think it was a good idea to make texlive and essential software portable so that I can also build the latex documents easily in some random machine with nix flake.

However I came across this issue Copy local flakes to the store lazily · Issue #3121 · NixOS/nix · GitHub, and this Is it possible to make a flake that has no source tree? - #6 by rnhmjoj, seems the flake copy the whole directory into /nix/store, and now I have multiple /nix/store/somerandomhash-source folders that contains mysecret.tex (I find it by find /nix/store -maxdepth 2 -iname 'mysecret.tex').

I am glad that I haven’t run the flake in the machine that I do not own.

How can I remove all of the corresponding /nix/store/somerandomhash-source directiories containing the sensitive information from nix store with the correct way? Thanks!

waffle8946 · November 9, 2024, 3:37pm

Run nix store delete [path].
If that gives you an error, run nix-store --query --roots [path] to figure out what depends on it (I don’t know the nix3 equivalent command and am too lazy to figure it out.)

phaeseeKe5Ee · November 9, 2024, 3:50pm

Thank, so I have to use some software like find to find the corresponding somerandomhash-source in /nix/store and delete it with nix store delete /nix/store/somehash-source one by one?

Ya I found 2 directiories unable to be deleted and remove the corresponding .direnv and I can delete it now.

Thank you so much!

waffle8946 · November 9, 2024, 3:58pm

You don’t have to delete it manually, the next garbage collection would catch anything that doesn’t have a gc root (and if something does have a gc root, you’d find it with the query command and delete the root like you just did).

Or to put it another way, the nix store delete command will only let you delete paths that would get gc’d anyway.

callahad · November 9, 2024, 5:36pm

And just to make the implicit explicit for future readers: nix-direnv does add its shell derivations to the user’s gcroots

waffle8946 · November 9, 2024, 8:36pm

Well they’re using flakes, even plain ol’ direnv will (incidentally) create a gc root for those:

github.com

direnv/direnv/blob/aa761e3944cf47751596b2082f2a3c9d33c5aeba/stdlib.sh#L1316-L1322


      
          use_flake() {
            watch_file flake.nix
            watch_file flake.lock
            mkdir -p "$(direnv_layout_dir)"
            eval "$(nix --extra-experimental-features "nix-command flakes" print-dev-env --profile "$(direnv_layout_dir)/flake-profile" "$@")"
            nix --extra-experimental-features "nix-command flakes" profile wipe-history --profile "$(direnv_layout_dir)/flake-profile"
          }