Skip to content

Secrets

If you want to know more about how to save and share passwords in your clan read further!

Adding a Secret

clan secrets set mysecret
Paste your secret:

Retrieving a Stored Secret

clan secrets get mysecret

List all Secrets

clan secrets list

NixOS integration

A NixOS machine will automatically import all secrets that are encrypted for the current machine. At runtime it will use the host key to decrypt all secrets into an in-memory, non-persistent filesystem using sops-nix. In your nixos configuration you can get a path to secrets like this config.sops.secrets.<name>.path. For example:

{ config, ...}: {
  sops.secrets.my-password.neededFor = "users";

  users.users.mic92 = {
    isNormalUser = true;
    passwordFile = config.sops.secrets.my-password.path;
  };
}

Assigning Access

When using clan secrets set <secret> without arguments, secrets are encrypted for the key of the user named like your current $USER.

To add machines/users to an existing secret use:

 clan secrets machines add-secret <machine_name> <secret_name>

Alternatively specify users and machines while creating a secret:

clan secrets set --machine <machine1> --machine <machine2> --user <user1> --user <user2> <secret_name>

Advanced

In this section we go into more advanced secret management topics.

Groups

Clan CLI makes it easy to manage access by allowing you to create groups.

All users within a group inherit access to all secrets of the group.

This feature eases the process of handling permissions for multiple users.

Here's how to get started:

  1. Creating Groups:

Assign users to a new group, e.g., admins:

clan secrets groups add admins <username>
  1. Listing Groups:
clan secrets groups list
  1. Assigning Secrets to Groups:
clan secrets groups add-secret <group_name> <secret_name>

Adding Machine Keys

New machines in Clan come with age keys stored in ./sops/machines/<machine_name>. To list these machines:

 clan secrets machines list

For existing machines, add their keys:

 clan secrets machines add <machine_name> <age_key>

To fetch an age key from an SSH host key:

 ssh-keyscan <domain_name> | nix shell nixpkgs#ssh-to-age -c ssh-to-age

Migration: Importing existing sops-based keys / sops-nix

clan secrets stores each secret in a single file, whereas sops commonly allows to put all secrets in a yaml or json document.

If you already happened to use sops-nix, you can migrate by using the clan secrets import-sops command by importing these files:

% clan secrets import-sops --prefix matchbox- --group admins --machine matchbox nixos/matchbox/secrets/secrets.yaml

This will create secrets for each secret found in nixos/matchbox/secrets/secrets.yaml in a ./sops folder of your repository. Each member of the group admins in this case will be able to decrypt the secrets with their respective key.

Since our clan secret module will auto-import secrets that are encrypted for a particular nixos machine, you can now remove sops.secrets.<secrets> = { }; unless you need to specify more options for the secret like owner/group of the secret file.

Indepth Explanation

The secrets system conceptually knows two different entities:

  • Machine: consumes secrets
  • User: manages access to secrets

A Users Can add or revoke machines' access to secrets.

A machine Can decrypt secrets that where encrypted specifically for that machine.

Danger

Always make sure at least one User has access to a secret. Otherwise you could lock yourself out from accessing the secret.

Inherited implications

By default clan uses sops through sops-nix for managing its secrets which inherits some implications that are important to understand:

  • Public/Private keys: Entities are identified via their public keys. Each Entity can use their respective private key to decrypt a secret.
  • Public keys are stored: All Public keys are stored inside the repository
  • Secrets are stored Encrypted: secrets are stored inside the repository encrypted with the respective public keys
  • Secrets are deployed encrypted: Fully encrypted secrets are deployed to machines at deployment time.
  • Secrets are decrypted by sops on-demand: Each machine decrypts its secrets at runtime and stores them at an ephemeral location.
  • Machine key-pairs are auto-generated: When a machine is created no user-interaction is required to setup public/private key-pairs.
  • secrets are re-encrypted: In case machines, users or groups are modified secrets get re-encrypted on demand.

    Important

    After revoking access to a secret you should also change the underlying secret. i.e. change the API key, or the password.


Machine and user keys

The following diagrams illustrates how a user can provide a secret (i.e. a Password).

  • By using the Clan CLI a user encrypts the password with both the User public-key and the machine's public-key

  • The Machine can decrypt the password with its private-key on demand.

  • The User is able to decrypt the password to make changes to it.

uml diagram

User groups

Here we illustrate how machine groups work.

Common use cases:

  • Shared Management: Access among multiple users. I.e. a subset of secrets/machines that have two admins

uml diagram


Machine groups

Here we illustrate how machine groups work.

Common use cases:

  • Shared secrets: Among multiple machines such as Wifi passwords

uml diagram

See the readme of sops-nix for more examples.