You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I currently have a few different ways I manage my secrets. This generally works, but it's still worth trying to optimize my strategy for convenience as well as security purposes. I think it's impossible trying to have a one-shoe-fits-all solution, but the fewer points of failure the better. Still, a divide-and-conquer strategy might be the best way.
I currently use Vaultwarden for this. It ticks a lot of boxes and I like it. While Bitwarden seems to be on it's way to enshittification, my dependency of the company is already minimal, since I self-host Vaultwarden and use rbw on Linux, but I still use the official Browser extension and Android App. There are some bespoke automated backup options, but it's not super straightforward.
KeePass is also nice, and if I had to move away from Vaultwarden, this would be my next best choice. Mobile Apps and Browser extensions exist. Since it's just one file, it's easy to sync and backup. For syncing I would just use Syncthing.
Nix Config
I am currently using sops-nix to manage secrets for this repo, which works quite well.
Maybe use sq (Sequoia) and/or gpg-sq (Sequoia OpenPGP).
Regardless of the OpenPGP implementation, gpg-agent is always needed and so is pinentry. I currently use wayprompt, but some pinentries support the Secret Service API (see above), which would already make life a little bit easier.
Public Keys
Not strictly secret, but managing them is still closely related to the overall issue. In this case "Management" means publishing / propagating the keys, which is mostly a manual process at the moment.
I see two main paths forward: stick with Vaultwarden or switch to KeePass. There are some things I will do either way. First, I will almost certainly switch to opkssh for my own servers. This way I don't have to bother with Authorized Keys at all. For work and git forges I will probably either use Vaultwarden/KeePass or YubiKey or both. Second I will try to use fnox instead of sops, since it allows me to use either KeePass or Vaultwarden/rbw as a provider.
I currently have a few different ways I manage my secrets. This generally works, but it's still worth trying to optimize my strategy for convenience as well as security purposes. I think it's impossible trying to have a one-shoe-fits-all solution, but the fewer points of failure the better. Still, a divide-and-conquer strategy might be the best way.
Requirements
Possible Solutions
Logins / Passkeys
I currently use Vaultwarden for this. It ticks a lot of boxes and I like it. While Bitwarden seems to be on it's way to enshittification, my dependency of the company is already minimal, since I self-host Vaultwarden and use rbw on Linux, but I still use the official Browser extension and Android App. There are some bespoke automated backup options, but it's not super straightforward.
KeePass is also nice, and if I had to move away from Vaultwarden, this would be my next best choice. Mobile Apps and Browser extensions exist. Since it's just one file, it's easy to sync and backup. For syncing I would just use Syncthing.
Nix Config
I am currently using sops-nix to manage secrets for this repo, which works quite well.
While there are no official methods to use either Vaultwarden or KeePass with nix, there is some inspiration on how I could make it work here: https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes
fnox looks very cool! For nix use something like this
SSH
I just use normal SSH Keys right now. They are host-specific, passphrase protected and accessible with the standard SSH-Agent.
Here are some other (better?) solutions:
EXPERIMENTAL_CLIENT_FEATURE_FLAGS=ssh-key-vault-item,ssh-agentSecret Service
Others
I also have some GPG and age keys, managed similarly to SSH private keys. Also looking for a better storage solution.
The best bet would probably be YubiKey: age-plugin-yubikey and Using Your YubiKey with OpenPGP.
Maybe use sq (Sequoia) and/or gpg-sq (Sequoia OpenPGP).
Regardless of the OpenPGP implementation, gpg-agent is always needed and so is pinentry. I currently use wayprompt, but some pinentries support the Secret Service API (see above), which would already make life a little bit easier.
Public Keys
Not strictly secret, but managing them is still closely related to the overall issue. In this case "Management" means publishing / propagating the keys, which is mostly a manual process at the moment.
Conclusion
I see two main paths forward: stick with Vaultwarden or switch to KeePass. There are some things I will do either way. First, I will almost certainly switch to opkssh for my own servers. This way I don't have to bother with Authorized Keys at all. For work and git forges I will probably either use Vaultwarden/KeePass or YubiKey or both. Second I will try to use fnox instead of sops, since it allows me to use either KeePass or Vaultwarden/rbw as a provider.
Footnotes
https://elvishjerricco.github.io/2018/06/24/secure-declarative-key-management.html ↩
https://linderud.dev/blog/store-ssh-keys-inside-the-tpm-ssh-tpm-agent/ ↩