search

Mic92 / sops-nix

Atomic secret provisioning for NixOS based on sops
MIT License
1.64k stars 154 forks source link

feature request: support for external key management #629

Open Oudwins opened 1 month ago

Oudwins commented 1 month ago

I'm not 100% clear exactly on how sops works. But from my limited understanding the intended use was for aws vms where sops would communicate with KMS to decrypt the secrets.

Unless I am mistaken, sops-nix doesn't currently support KMS or any other similar service. The request would be to add support for KMS (or similar) and perhaps this could open the door to using the host machine as the key provider when remotely building machines through nixos-rebuild

Oudwins commented 1 month ago

To add further context on this:

I am trying to update remote machines through nixos-rebuild and would like to also update the secrets. However this will only work if I encrypt the secrets file with a key the remote machine has access to which means (as I have been gracefully told by an awesome discord member) that I need to:

  1. Distribute a master key to each remote machine which is able to decrypt the secrets (which doesn't seem terribly secure)
  2. Create keys on the remote machine, grab the public key and encrypt the secrets with it (which seems like it just will not scale and generally be a pain to do for every new machine)
Mic92 commented 1 month ago

The tricky bit is that the activation phase doesn't have network. So what people in the past did, was enabling networking in initrd. An alternative that I used in the past on GCP, was having a systemd service that would just run plain sops to decrypt secrets but also depending on networking and than every service that depends on it, would depend on the service.

Oudwins commented 1 month ago

Hey! Thanks for the reply. I see.... That seems tough then.

Again I'm not super familiar with all this so, if you don't mind, I'm going to just ask a bunch of stupid questions: