Skip to content

Provide options for storing secrets outside the Nix store #24288

Open
#222536
Open
Provide options for storing secrets outside the Nix store#24288
#222536
Labels
1.severity: securityIssues which raise a security issue, or PRs that fix one5.scope: trackingLong-lived issue tracking long-term fixes or multiple sub-problems6.topic: nixosIssues or PRs affecting NixOS modules, or package usability issues specific to NixOS
Milestone
26.11
@basvandijk

Description

@basvandijk
basvandijk
opened on Mar 24, 2017

Introduction

Dear module authors and maintainers,

We currently have many modules that force users to store their secrets in the world-readble Nix store. This is bad for security. We should give users the option of specifying their secrets in individual files which can be stored outside the Nix store with suitable ownership and permissions. Users could then also use nixops to manage their secret files.

There's still the convenient but unsafe option of storing the secret file in the Nix store using pkgs.writeTextFile. If NixOS/nix#8 gets resolved these files can be encrypted / made private. Also see: NixOS/rfcs#5.

Proposal

The list below contains all the options that force a secret being stored in the Nix store. I propose the following:

  1. Each option should get a warning in the documentation of the form: "Warning: this secret is stored in the world-readable Nix store!"

  2. Each option should get an alternative passwordFile option.

  3. For backwards compatibility the passwordFile option should get a default based on the password option:

{ config = {
    passwordFile = mkDefault (toString (pkgs.writeTextFile {
      name = "password-file";
      text = cfg.password;
    }));
  };
}

  1. Some upstream programs don't support setting a password using a file. In that case an issue should be created in the upstream issue-tracker asking for that feature. (See Support specifying rpcpassword by file namecoin/namecoin-core#148 for example). A URL to the issue should be placed in the list below and in the documentation of the password option so that it's easier to track when it gets resolved.

  2. If after some time (lets use September 2017 for now) the upstream developers have not provided the feature to specify the password by file, the NixOS module should be changed such that the config file that contains the password is written to /run before the service starts up. So something like the following:

{
  systemd.services.my-service = {  
    preStart = ''
      cat > /run/my-service/config << EOF
      ...
      password = $(cat "${cfg.passwordFile}")
      ...
      EOF
    '';
    script = "${pkgs.myService}/bin/my-service --config=/run/my-service/config";
  };
}

  1. Lets use this issue for planning and to track progress. Please mention in the comments if you have provided a passwordFile option for one of the options below. Then I check the box to indicate it has been resolved. See PR wordpress: replace the dbPassword option with dbPasswordFile #24146 for reference.

  2. If we make sure the new options are backwards compatible we could consider cherry-picking them onto release-17.03 making sure users get these security fixes ASAP.

Secret options

This list was compiled by running the following in <nixpkgs> and manually inspecting and processing the result:

find . -type f -exec grep --color -nH -i -E -e '(secret|pass|key)' {} +`

Metadata

Metadata

Assignees

No one assigned

    Labels

    1.severity: securityIssues which raise a security issue, or PRs that fix one5.scope: trackingLong-lived issue tracking long-term fixes or multiple sub-problems6.topic: nixosIssues or PRs affecting NixOS modules, or package usability issues specific to NixOS

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions