Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature request: support for external key management #629

Open
Oudwins opened this issue Oct 1, 2024 · 3 comments
Open

feature request: support for external key management #629

Oudwins opened this issue Oct 1, 2024 · 3 comments

Comments

@Oudwins
Copy link

Oudwins commented Oct 1, 2024

I'm not 100% clear exactly on how sops works. But from my limited understanding the intended use was for aws vms where sops would communicate with KMS to decrypt the secrets.

Unless I am mistaken, sops-nix doesn't currently support KMS or any other similar service. The request would be to add support for KMS (or similar) and perhaps this could open the door to using the host machine as the key provider when remotely building machines through nixos-rebuild
@Oudwins Oudwins changed the title feature request: support for secrets servers feature request: support for key management servers Oct 1, 2024
@Oudwins Oudwins changed the title feature request: support for key management servers feature request: support for external key management Oct 1, 2024
@Oudwins
Copy link
Author

Oudwins commented Oct 1, 2024

To add further context on this:

I am trying to update remote machines through nixos-rebuild and would like to also update the secrets. However this will only work if I encrypt the secrets file with a key the remote machine has access to which means (as I have been gracefully told by an awesome discord member) that I need to:

  1. Distribute a master key to each remote machine which is able to decrypt the secrets (which doesn't seem terribly secure)
  2. Create keys on the remote machine, grab the public key and encrypt the secrets with it (which seems like it just will not scale and generally be a pain to do for every new machine)

@Mic92
Copy link
Owner

Mic92 commented Oct 1, 2024

The tricky bit is that the activation phase doesn't have network. So what people in the past did, was enabling networking in initrd. An alternative that I used in the past on GCP, was having a systemd service that would just run plain sops to decrypt secrets but also depending on networking and than every service that depends on it, would depend on the service.

@Oudwins
Copy link
Author

Oudwins commented Oct 1, 2024

Hey! Thanks for the reply. I see.... That seems tough then.

Again I'm not super familiar with all this so, if you don't mind, I'm going to just ask a bunch of stupid questions:

  • What about supporting decryption on the local machine & pushing those secrets to the remote machine somehow? This way I can bootstrap the server and set it up so it can self serve somehow maybe
  • Do you have an example for the work around you used in GCP?
  • What about doing something like on nixos-rebuild switch do a first pass to generate the secrets and a second to actually build the system now that the secrets are in the right place? (Feels like if this were possible someone would have thought of it
  • Do you happen to know what this project does to get around having to set systemd service dependencies? (I don't see it referencing dependencies) https://github.com/serokell/vault-secrets

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mic92 @Oudwins