Closed c0c0n3 closed 7 months ago
So we've managed to make mkpasswd
work on Apple silicon too by compiling with an older clang
version---see a889269. Thanks to this, now vaultgen
can use mkpasswd
to generate yescrypt
hashes---see 2e5a492.
Because of the above, I reckon we can close this issue? Well, it'd be nice to still consider the Haskell option mentioned in the earlier comment, but we'll leave that for another day.
At the moment we're hashing NixOS user passwords with SHA512. We could easily switch over to yescrypt which seems to be a better option or Argon2id which may be even better than
yescrypt
in some regards---see this and this.To hash passwords, the
vaultgen
script usesopenssl
which currently doesn't supportyescrypt
. We could usemkpasswd
instead which does supportyescrypt
but doesn't build on the M1 at the moment---NixOS23.11
.PAM on NixOS defaults to
yescrypt
(as you can see fromcat /etc/pam.d/chpasswd
) so there's no prob usingyescrypt
instead of SHA512. But PAM doesn't yet support Argon2, so we can't use Argon2id just yet.Put some thought into moving away from SHA512 if it turns out we need to up our security game. Also keep in mind we could easily rewrite the
vaultgen
script in Haskell using the new crypto echo system and do away with all the CLI toolsvaultgen
requires---age
,openssl
, etc. If we go down that road, we might just as well use the same Haskell program for decrypting secrets on the server so we could replaceagenix
too. Having just one tool to do everything could potentially make our life much easier.