Skip to content

Secret Management #127

Description

@0xlua

I currently have a few different ways I manage my secrets. This generally works, but it's still worth trying to optimize my strategy for convenience as well as security purposes. I think it's impossible trying to have a one-shoe-fits-all solution, but the fewer points of failure the better. Still, a divide-and-conquer strategy might be the best way.

Requirements

  • Browser extension
  • Android App
  • Compatible with nix 1
  • easy to backup (see Backups #124)
  • Secret Service API
  • SSH-Agent
  • Secret Types
    • Logins
    • Credit Cards
    • Passkeys
    • SSH keys
    • API tokens

Possible Solutions

Logins / Passkeys

I currently use Vaultwarden for this. It ticks a lot of boxes and I like it. While Bitwarden seems to be on it's way to enshittification, my dependency of the company is already minimal, since I self-host Vaultwarden and use rbw on Linux, but I still use the official Browser extension and Android App. There are some bespoke automated backup options, but it's not super straightforward.

KeePass is also nice, and if I had to move away from Vaultwarden, this would be my next best choice. Mobile Apps and Browser extensions exist. Since it's just one file, it's easy to sync and backup. For syncing I would just use Syncthing.

Nix Config

I am currently using sops-nix to manage secrets for this repo, which works quite well.

While there are no official methods to use either Vaultwarden or KeePass with nix, there is some inspiration on how I could make it work here: https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes

fnox looks very cool! For nix use something like this

SSH

I just use normal SSH Keys right now. They are host-specific, passphrase protected and accessible with the standard SSH-Agent.

Here are some other (better?) solutions:

  • Vaultwarden and use rbw as an ssh-agent
    • to enable this: EXPERIMENTAL_CLIENT_FEATURE_FLAGS=ssh-key-vault-item,ssh-agent
  • KeePassXC
  • OIDC (using opkssh): PocketID for SSO
    • this only works for sshds I control. For work and github/codeberg I'd still need to store conventional ssh keys
  • YubiKey: just one central SSH Key, easy to manage
  • TPM (using ssh-tpm-agent): similar to YubiKey, but Host specific2
  • Something like Tailscale or Netbird SSH

Secret Service

Others

I also have some GPG and age keys, managed similarly to SSH private keys. Also looking for a better storage solution.

The best bet would probably be YubiKey: age-plugin-yubikey and Using Your YubiKey with OpenPGP.

Maybe use sq (Sequoia) and/or gpg-sq (Sequoia OpenPGP).

Regardless of the OpenPGP implementation, gpg-agent is always needed and so is pinentry. I currently use wayprompt, but some pinentries support the Secret Service API (see above), which would already make life a little bit easier.

Public Keys

Not strictly secret, but managing them is still closely related to the overall issue. In this case "Management" means publishing / propagating the keys, which is mostly a manual process at the moment.

  • Codeberg / GitHub
  • OpenPGP Public Keys: WKD, Keyserver, Proton
  • SSH Hosts: hardcoded in this flake

Conclusion

I see two main paths forward: stick with Vaultwarden or switch to KeePass. There are some things I will do either way. First, I will almost certainly switch to opkssh for my own servers. This way I don't have to bother with Authorized Keys at all. For work and git forges I will probably either use Vaultwarden/KeePass or YubiKey or both. Second I will try to use fnox instead of sops, since it allows me to use either KeePass or Vaultwarden/rbw as a provider.

Footnotes

  1. https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html

  2. https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions