| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are other alternatives:
* [This blog post about NixOs secret encryption](https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20)
* Directly to agenix:
* A [rewrite in rust](https://github.com/yaxitech/ragenix)
* A dead (?) [rewrite in rust](https://github.com/cole-h/agenix-cli)
* An implementation of Sops for nix: [Sops-nix](https://github.com/Mic92/sops-nix)
* See the [NixOs wiki entry](https://nixos.wiki/wiki/Comparison_of_secret_managing_schemes) for further options.
Reasons for agenix:
I mostly just ruled other options out, until this was the only real
thing:
* The blog post was created in a time, where tools like agenix where
not available, and it (very simplified) just shows, how to
implement a basic version of agenix
* The rewrite are both in itself interesting, but lack community
support, this is however subject to change, and thus a migration
to a rewrite might be feasible in the future.
* Sops seems like a really nice thing, with support for nearly all
relevant encryption options, but the documentation for sops-nix
seems rather lack-luster for me, so I decided to stay with agenix,
especially because I should not need the extra encryption
options.
* And lastly most of the option on the wiki page need excessive
manual intervention on every reboot (maybe because the were written
with servers in mind), but I would like to be able to deploy once
and then never have to think about secret management.
So you see, I mostly just used what seemed to be the easiest for my
situation right now, and agenix works rather well. If there weren't one
big downside, I would really like it: Encrypting a file with age — which
is what agenix uses under the hood — requires a key, which in the case
of agenix is the public ssh key. Being asymmetric encryption, the
decryption requires the private key, which is in my case stored in an
ssh-agent, feed directly from KeepassXC. And this is where the problem
lives, I want to be able to decrypt the secrets (obviously), and this
only works if I copy the private key to a file, which, whilst being a
manual process, completely breaks the point behind using an ssh-agent
with KeepassXC integration in the first place.
There are however open Issues on both the rage an agenix issue
trackers, so the hope of fixing this is still there.
|
