>Right now, I need to distribute and sync my "secure files" to multiple >machines. If I could just store the mysql password in the store, >gpg encrypted, that would make things a lot easier. >As files can be encrypted for multiple receivers, I can manage >permissions through that mechanism and just store everything in 1 place >(channel). > >Then, during activation of a new configuration, when some password is >needed (like when creating a mysql database), "gpg -d" would give a >passphrase prompt to the person who has chosen this config. >To avoid interactivity, a passphrase-less key can be used (granted, then >we're back to the current security-level where gaining root/physical >access gives you all plain passwords), or gpg-agent.
So what we want is to make some storage for secrets that is accessible only to the associated builder (so that the secrets are not stored in derivations)? Encrypting/decrypting per se are easy. _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
