search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.41k stars 13.63k forks source link

Provide options for storing secrets outside the Nix store #24288

Open basvandijk opened 7 years ago

basvandijk commented 7 years ago

Introduction

Dear module authors and maintainers,

We currently have many modules that force users to store their secrets in the world-readble Nix store. This is bad for security. We should give users the option of specifying their secrets in individual files which can be stored outside the Nix store with suitable ownership and permissions. Users could then also use nixops to manage their secret files.

There's still the convenient but unsafe option of storing the secret file in the Nix store using pkgs.writeTextFile. If https://github.com/NixOS/nix/issues/8 gets resolved these files can be encrypted / made private. Also see: https://github.com/NixOS/rfcs/pull/5.

Proposal

The list below contains all the options that force a secret being stored in the Nix store. I propose the following:

  1. Each option should get a warning in the documentation of the form: "Warning: this secret is stored in the world-readable Nix store!"

  2. Each option should get an alternative passwordFile option.

  3. For backwards compatibility the passwordFile option should get a default based on the password option:

{ config = {
    passwordFile = mkDefault (toString (pkgs.writeTextFile {
      name = "password-file";
      text = cfg.password;
    }));
  };
}

  1. Some upstream programs don't support setting a password using a file. In that case an issue should be created in the upstream issue-tracker asking for that feature. (See https://github.com/namecoin/namecoin-core/issues/148 for example). A URL to the issue should be placed in the list below and in the documentation of the password option so that it's easier to track when it gets resolved.

  2. If after some time (lets use September 2017 for now) the upstream developers have not provided the feature to specify the password by file, the NixOS module should be changed such that the config file that contains the password is written to /run before the service starts up. So something like the following:

{
  systemd.services.my-service = {  
    preStart = ''
      cat > /run/my-service/config << EOF
      ...
      password = $(cat "${cfg.passwordFile}")
      ...
      EOF
    '';
    script = "${pkgs.myService}/bin/my-service --config=/run/my-service/config";
  };
}

  1. Lets use this issue for planning and to track progress. Please mention in the comments if you have provided a passwordFile option for one of the options below. Then I check the box to indicate it has been resolved. See PR https://github.com/NixOS/nixpkgs/pull/24146 for reference.

  2. If we make sure the new options are backwards compatible we could consider cherry-picking them onto release-17.03 making sure users get these security fixes ASAP.

Secret options

This list was compiled by running the following in <nixpkgs> and manually inspecting and processing the result:

find . -type f -exec grep --color -nH -i -E -e '(secret|pass|key)' {} +`
aanderse commented 6 years ago

@basvandijk You can mark redmine as complete as of 18.09 as a passwordFile option has been added.

aanderse commented 5 years ago

@basvandijk the owncloud module was removed so you can tick that off.

gbiscuolo commented 4 years ago

This is a related topic I started on Discourse: In configuration.nix can I read a value from a file?

globin commented 4 years ago

Also see https://github.com/NixOS/rfcs/pull/59

wucke13 commented 4 years ago

services.mattermost.localDatabasePassword needs adjustment too.

infinisil commented 4 years ago

Related is my PR which adds types.secretPath: https://github.com/NixOS/nixpkgs/pull/78640

liamdiprose commented 4 years ago

List Updates These options now exist:

These options need an associated passwordFile option:

nixos-discourse commented 4 years ago

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/any-default-config-for-reproducible-configurations/5268/17

wucke13 commented 4 years ago

services.mattermost.localDatabasePassword is not possible via file as well.

doronbehar commented 4 years ago

I think we should add to this list the mpd module, which now gets the ability to store it's password "<pwd>@permissions" entry outside the store, at https://github.com/NixOS/nixpkgs/pull/95599 .

felschr commented 3 years ago

I just noticed that virtualisation.oci-containers.containers.<name>.environment doesn't allow scripting: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/oci-containers.nix#L242

Container environment variables are frequently used for secrets, too, thus I think we should provide an easy way to include them. I see a few different ways to solve this:

roberth commented 3 years ago

UPDATE: For Vault it's not the optimal solution, but this approach can be suitable for other services that have secrets in (somewhat) arbitary places in the config file BUT can not load multiple config files.

For hashicorp Vault here's a PR that lets you upload the config via NixOps or use any path. https://github.com/NixOS/nixpkgs/pull/107323

I don't think I've seen this approach before. Example config:

{ config, ... }:
{
  services.vault.storageConfig = ''connection_url = "${somethingSensitive}"'';
  services.vault.configPath = "/run/keys/vault.hcl";
  users.users.vault.extraGroups = ["keys"];
  deployment.keys."vault.hcl" = {
    text = config.services.vault.configText;
    user = "vault";
  };
}

Note, vault storageConfig isn't super sensitive because a leak isn't supposed to affect confidentiality or integrity, but it will affect availability and accountability.

rnhmjoj commented 2 years ago

I'm trying to fix wpa_supplicant (networking.wireless) in #134618. Could anyone help by reviewing it?

domenkozar commented 2 years ago

There are now docs for how to handle this for new modules at https://github.com/NixOS/nixpkgs/pull/142282

kevincox commented 2 years ago

These docs handle the easy part of the problem. They are about how use use secrets outside of the store, not how to manage the secrets themselves. Ideally we wouldn't need to push this complexity onto the user.

ncfavier commented 2 years ago

We can probably tick the networking.wireless.networks.*.psk box now that https://github.com/NixOS/nixpkgs/pull/134618 was merged.

nixos-discourse commented 2 years ago

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/agenix-encrypted-plaintext-passwords-and-builtins-readfile/18425/8

ppom0 commented 9 months ago

Some boxes can be checked (βœ… done, πŸ™… module removed, ❓ option doesn't seem to exist anymore):

Maybe some unsecure options appeared in new modules since then!

CMCDragonkai commented 9 months ago

Is there a conclusion to this issue that specifies exactly what behaviour is?

ppom0 commented 9 months ago

Can someone edit the issue? @basvandijk maybe :)