mirror of
https://github.com/ryantm/agenix.git
synced 2024-07-01 15:27:42 +03:00
657789137c
* use mmdoc * add github pages action to auto publish * do not edit README for now, will follow up with a commit directs people to the doc site
596 B
596 B
Problem and solution
All files in the Nix store are readable by any system user, so it is not a suitable place for including cleartext secrets. Many existing tools (like NixOps deployment.keys) deploy secrets separately from nixos-rebuild, making deployment, caching, and auditing more difficult. Out-of-band secret management is also less reproducible.
agenix solves these issues by using your pre-existing SSH key infrastructure and age to encrypt secrets into the Nix store. Secrets are decrypted using an SSH host private key during NixOS system activation.