mirror of https://github.com/ryantm/agenix.git
596 B
596 B
Problem and solution
All files in the Nix store are readable by any system user, so it is not a suitable place for including cleartext secrets. Many existing tools (like NixOps deployment.keys) deploy secrets separately from nixos-rebuild
, making deployment, caching, and auditing more difficult. Out-of-band secret management is also less reproducible.
agenix
solves these issues by using your pre-existing SSH key infrastructure and age
to encrypt secrets into the Nix store. Secrets are decrypted using an SSH host private key during NixOS system activation.