Secret support via sops #5

New issue

Closed

opened 2023-09-24 23:00:56 +00:00 by nerf · 0 comments

nerf commented

2023-09-24 23:00:56 +00:00

Owner

We also need to discuss if we want to opt for the new age driven crypto or if we want to rely on the good ol' gpg.

Pros and Cons:

Pros for gpg

everybody already has a version of gpg
gpg hast “stood the test of time”

Cons for gpg

it is gpg
it is “designed” in the early 90's and historically grown
an unusable monster with (in some versions) insane defaults

Pros for age

it is a (comparably) simple tool
it is designed for the task

Cons for age

it is not preinstalled on most OS (it is in most package repositories)
it is the new kid on the block
I'm not aware of any systematic reviews

Sooner or later we will have secrets in some of our configurations. A possible example would be the users of the mail server, or authentication tokens. But there are many more. (Not that I'm saying we should include mail server users in the nix config, maybe we should treat them as state, but I'm not sure about that). We also need to discuss if we want to opt for the new [`age`](https://age-encryption.org/) driven crypto or if we want to rely on the good ol' `gpg`. Pros and Cons: Pros for `gpg` - everybody already has a version of `gpg` - gpg hast “stood the test of time” Cons for `gpg` - it is [gpg](https://www.latacora.com/blog/2019/07/16/the-pgp-problem/) - it is “designed” in the early 90's and historically grown - an unusable monster with (in some versions) insane defaults Pros for `age` - it is a (comparably) simple tool - it is designed for the task Cons for `age` - it is not preinstalled on most OS (it is in most package repositories) - it is the new kid on the block - I'm not aware of any systematic reviews