Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide options for storing secrets outside the Nix store #24288

Open
25 of 76 tasks
basvandijk opened this issue Mar 24, 2017 · 67 comments
Open
25 of 76 tasks

Provide options for storing secrets outside the Nix store #24288

basvandijk opened this issue Mar 24, 2017 · 67 comments

Comments

@basvandijk
Copy link
Member

basvandijk commented Mar 24, 2017

Introduction

Dear module authors and maintainers,

We currently have many modules that force users to store their secrets in the world-readble Nix store. This is bad for security. We should give users the option of specifying their secrets in individual files which can be stored outside the Nix store with suitable ownership and permissions. Users could then also use nixops to manage their secret files.

There's still the convenient but unsafe option of storing the secret file in the Nix store using pkgs.writeTextFile. If NixOS/nix#8 gets resolved these files can be encrypted / made private. Also see: NixOS/rfcs#5.

Proposal

The list below contains all the options that force a secret being stored in the Nix store. I propose the following:

  1. Each option should get a warning in the documentation of the form: "Warning: this secret is stored in the world-readable Nix store!"

  2. Each option should get an alternative passwordFile option.

  3. For backwards compatibility the passwordFile option should get a default based on the password option:

{ config = {
    passwordFile = mkDefault (toString (pkgs.writeTextFile {
      name = "password-file";
      text = cfg.password;
    }));
  };
}
  1. Some upstream programs don't support setting a password using a file. In that case an issue should be created in the upstream issue-tracker asking for that feature. (See Support specifying rpcpassword by file namecoin/namecoin-core#148 for example). A URL to the issue should be placed in the list below and in the documentation of the password option so that it's easier to track when it gets resolved.

  2. If after some time (lets use September 2017 for now) the upstream developers have not provided the feature to specify the password by file, the NixOS module should be changed such that the config file that contains the password is written to /run before the service starts up. So something like the following:

{
  systemd.services.my-service = {  
    preStart = ''
      cat > /run/my-service/config << EOF
      ...
      password = $(cat "${cfg.passwordFile}")
      ...
      EOF
    '';
    script = "${pkgs.myService}/bin/my-service --config=/run/my-service/config";
  };
}
  1. Lets use this issue for planning and to track progress. Please mention in the comments if you have provided a passwordFile option for one of the options below. Then I check the box to indicate it has been resolved. See PR wordpress: replace the dbPassword option with dbPasswordFile #24146 for reference.

  2. If we make sure the new options are backwards compatible we could consider cherry-picking them onto release-17.03 making sure users get these security fixes ASAP.

Secret options

This list was compiled by running the following in <nixpkgs> and manually inspecting and processing the result:

find . -type f -exec grep --color -nH -i -E -e '(secret|pass|key)' {} +`
@ip1981
Copy link
Contributor

ip1981 commented Mar 24, 2017

FYI, check out how I handle secrets throughout all the apps here: https://github.com/ip1981/nixsap/tree/master/modules/apps

Especially, with Jenkins :)

@teh
Copy link
Contributor

teh commented Mar 24, 2017

I suspect @fpletz is now the maintainer for gitlab (sorry, I see you'r name is in this list a lot!)

@edolstra
Copy link
Member

Wow, I didn't know the situation was this bad. All of these options should be removed really. It's almost as if people don't realize that the Nix store is world readable...

@jml
Copy link
Contributor

jml commented Mar 24, 2017

@basvandijk — any plan for preventing future changes adding secrets to the Nix store, beyond eternal vigilance?

@Ekleog
Copy link
Member

Ekleog commented Mar 24, 2017

Hmm, I didn't re-read NixOS/nix#8 completely, but it seemed to me last time that @edolstra 's solution using encryption in the store and decryption at startup time was working and there was mostly bikeshedding about encryption vs ACLs?

This would be much easier than trying to patch every single upstream program that does not accept password files, especially given that some may not be willing to do it as it adds quite a bit of complexity. Wouldn't it?

@rnhmjoj
Copy link
Contributor

rnhmjoj commented Mar 24, 2017

Besides being quite inconvenient, storing passwords/keys in a file with restricted access outside the store, may not solve the problem: they could end up in a systemd environment file or a unit file if you need to pass those as an command line argument.
Also expecting everyone upstream to comply seems incredibly too optimistic for me.

@basvandijk
Copy link
Member Author

any plan for preventing future changes adding secrets to the Nix store, beyond eternal vigilance?

@jml we could add something to the PULL_REQUEST_TEMPLATE.md instructing contributors to use passwordFile instead of password options.

@basvandijk
Copy link
Member Author

All of these options should be removed really...

@edolstra we could do that eventually but to ease the transition we should first provide a backwards compatible passwordFile option, then in a next release we could start throwing warnings when users use the password option and finally in a third release we can remove the password options.

@basvandijk
Copy link
Member Author

@Ekleog regarding NixOS/nix#8, even if we have the ability to encrypt files in the Nix store I think it would be best to only encrypt files that should be encrypted. Currently we have big config files that somewhere contain a password. It would nicer if the config file remains unencrypted because then it can be shared and it makes debugging easier. Only the password needs to be encrypted. So having passwords in individual files would still be desirable.

@edolstra
Copy link
Member

@basvandijk The encryption stuff allows you to encrypt only the "secret" parts of a configuration file. See edolstra@4c82120#diff-6c3fcb531890fdce200531b9ac69e4f8R14 for an example.

@rnhmjoj
Copy link
Contributor

rnhmjoj commented Mar 24, 2017

@basvandijk Sometimes even the password stored in the configuration file needs to be readable. dnschain, for example, parses namecoin.conf to connect to the rpc server.

@basvandijk
Copy link
Member Author

@rnhmjoj lets see how upstream reacts to a request for a rpcpasswordFile parameter...

@basvandijk
Copy link
Member Author

basvandijk commented Mar 24, 2017

The encryption stuff allows you to encrypt only the "secret" parts of a configuration file.

@edolstra that's great! What needs to be done to get this merged into Nix?

@edolstra
Copy link
Member

Well, it's not clear whether this is the way to go. @kevincox listed the issues here: NixOS/nix#8 (comment)

@basvandijk
Copy link
Member Author

@rnhmjoj regarding namecoind, would cookie based authentication work?

@basvandijk
Copy link
Member Author

Besides being quite inconvenient, storing passwords/keys in a file with restricted access outside the store, may not solve the problem: they could end up in a systemd environment file or a unit file if you need to pass those as an command line argument.

@rnhmjoj regarding secrets in systemd unit files, we can always create a wrapper script that cats the password file and passes that on to the original script. I do something similar here.

@basvandijk basvandijk changed the title Provide options of storing secrets outside the Nix store Provide options for storing secrets outside the Nix store Mar 24, 2017
@mbrgm
Copy link
Member

mbrgm commented Mar 24, 2017

@basvandijk Regarding upstream changes for password file options: I think some cat/sed trickery, maybe creating a config file in /run from a template should also do the job for most cases where upstream doesn't have or doesn't want to add a password file, shouldn't it?

@basvandijk
Copy link
Member Author

@mbrgm sure and we should do that in case upstream doesn't provide a password file option.

@rasendubi
Copy link
Member

@basvandijk I would not tick the package until the PR is merged.

@rnhmjoj
Copy link
Contributor

rnhmjoj commented Mar 25, 2017

@basvandijk That seems a valid alternative for authenticating to namecoind however dnschain does not support it, so it would break the service. Anyway, thank you for opening the issue.

@basvandijk
Copy link
Member Author

I would not tick the package until the PR is merged.

@rasendubi makes sense. I've unticked the wordpress checkbox.

@edwtjo
Copy link
Member

edwtjo commented Mar 25, 2017

Well for aiccu; SixXS is closing down its IPv6 tunnel in June so it doesn't seem worth the effort to create a patch for aiccu to support password files. Lets just remove the service in 0606.

@zimbatm
Copy link
Member

zimbatm commented Mar 26, 2017

Nix encryption is going to take a while to get there given nix's release history speed. I don't think it should be a blocker for trying alternative implementations.

On the nixpkgs side, the protection would be based on unix file ACL. How about treating secrets like any other state? We could introduce a "mkState" interface that defines any kind of state reference on the filesystem.

let
  postgresState = mkState {
    type = "directory";
    name = "postgres";
    owner = "postgres";
    group = "postgres";
    mode = "0700";
    mustExist = false;
    # run a command if it's missing
    onMissing = "pg_init";
  };
  assert (toString postgresState) == "/var/lib/postgres";
  # mkSecret is a specialization of mkState with a default dir to /run/keys/${name}, mode = 0700 and mustExist = true  
  nginxSecret = mkSecret {
    owner = "nginx";
  };

This would translate to (1) some activation script actions like creating the state dir (2) systemd service to initialize and/or check the secret, which can then be used as a dependency for other services.

I know it's still pretty vague but hopefully enough to convey the idea.

@roberth
Copy link
Member

roberth commented Jan 4, 2021

UPDATE: For Vault it's not the optimal solution, but this approach can be suitable for other services that have secrets in (somewhat) arbitary places in the config file BUT can not load multiple config files.


For hashicorp Vault here's a PR that lets you upload the config via NixOps or use any path.
#107323

I don't think I've seen this approach before.
Example config:

{ config, ... }:
{
  services.vault.storageConfig = ''connection_url = "${somethingSensitive}"'';
  services.vault.configPath = "/run/keys/vault.hcl";
  users.users.vault.extraGroups = ["keys"];
  deployment.keys."vault.hcl" = {
    text = config.services.vault.configText;
    user = "vault";
  };
}

Note, vault storageConfig isn't super sensitive because a leak isn't supposed to affect confidentiality or integrity, but it will affect availability and accountability.

jwoudenberg added a commit to jwoudenberg/nixpkgs that referenced this issue Jun 5, 2021
When using the declarative shared folder configuration for resilio sync
it is now possible to pass a path from which to read the secret should
be read at runtime. The path will not be added to the nix store.

The 'secret' parameter to specify the secret directly is still
supported. This option will still store the secret in the nix store.

This commit follows the pattern described in this issue, for upstream
programs that do not provide support for setting a password using a
file: NixOS#24288
@rnhmjoj
Copy link
Contributor

rnhmjoj commented Sep 24, 2021

I'm trying to fix wpa_supplicant (networking.wireless) in #134618. Could anyone help by reviewing it?

@domenkozar
Copy link
Member

There are now docs for how to handle this for new modules at #142282

@kevincox
Copy link
Contributor

These docs handle the easy part of the problem. They are about how use use secrets outside of the store, not how to manage the secrets themselves. Ideally we wouldn't need to push this complexity onto the user.

@ncfavier
Copy link
Member

We can probably tick the networking.wireless.networks.*.psk box now that #134618 was merged.

@nixos-discourse
Copy link

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/agenix-encrypted-plaintext-passwords-and-builtins-readfile/18425/8

thoughtpolice pushed a commit that referenced this issue Dec 2, 2022
When using the declarative shared folder configuration for resilio sync
it is now possible to pass a path from which to read the secret should
be read at runtime. The path will not be added to the nix store.

The 'secret' parameter to specify the secret directly is still
supported. This option will still store the secret in the nix store.

This commit follows the pattern described in this issue, for upstream
programs that do not provide support for setting a password using a
file: #24288
rapenne-s pushed a commit to rapenne-s/nixpkgs that referenced this issue Dec 4, 2022
When using the declarative shared folder configuration for resilio sync
it is now possible to pass a path from which to read the secret should
be read at runtime. The path will not be added to the nix store.

The 'secret' parameter to specify the secret directly is still
supported. This option will still store the secret in the nix store.

This commit follows the pattern described in this issue, for upstream
programs that do not provide support for setting a password using a
file: NixOS#24288
@Artturin Artturin modified the milestones: 21.05, 23.05 Dec 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests