Signing Nix cache entries using AWS KMS or other HSM

Hi! In an enterprise context it can be very useful to sign cache entries using a managed key. A simple architecture for this might be:

  1. Signing nodes are assigned an AWS role giving them access to a specific KMS asymmetric key.
  2. Key usage is audited and locked down.

By doing this, we can avoid worrying about ever losing the signing key - we can issue short lived credentials to the hosts that should have access and so know with some confidence that if we revoke all access, nothing new can be signed by that key. Likewise, we know that if we delete the key, nothing new can be signed by it.

I’m wondering whether it might be possible to use a KMS asymmetric key as the key for Nix derivations? I can’t find much in the way of explanations of how Nix signing works - other tools use GPG for signatures and there’s a pre-existing AWS KMS GPG shim, but it’s less clear.

So for now, I’m really just asking what exists in the space. Is anyone signing stuff in Nix based on more than just ‘generate-key’ and ‘store sign’?

Last time I checked, AWS KMS doesn’t support Ed25519 keys that Nix expects for signing.

You could use HashiCorp Vault to handle the signing: Encryption as a Service: transit secrets engine | Vault | HashiCorp Developer

Ah, yes, that’s a bummer. Well, AWS will presumably start offering EC KMS at some point, and hopefully it aligns with what Nix supports!