Can Systemd 247 "credentials" logic solve secret management for us?

[davidak]

Issue description

Configuring credentials in NixOS is an unsolved problem, since saving them in the nix store is a bad idea (it is world-readable on a system).

A solution would be to store it outside the nix store, as state on disk (like linux user passwords), in best case with permissions, so only the service that needs it can access it.

Maybe the new "credentials" logic from Systemd 247 can solve it for us?

A new "credentials" logic has been added to system services. This is
a simple mechanism to pass privileged data to services in a safe and
secure way. It's supposed to be used to pass per-service secret data
such as passwords or cryptographic keys but also associated less
private information such as user names, certificates, and similar to
system services. Each credential is identified by a short user-chosen
name and may contain arbitrary binary data. Two new unit file
settings have been added: SetCredential= and LoadCredential=. The
former allows setting a credential to a literal string, the latter
sets a credential to the contents of a file (or data read from a
user-chosen AF_UNIX stream socket). Credentials are passed to the
service via a special credentials directory, one file for each
credential. The path to the credentials directory is passed in a new
$CREDENTIALS_DIRECTORY environment variable. Since the credentials
are passed in the file system they may be easily referenced in
ExecStart= command lines too, thus no explicit support for the
credentials logic in daemons is required (though ideally daemons
would look for the bits they need in $CREDENTIALS_DIRECTORY
themselves automatically, if set). The $CREDENTIALS_DIRECTORY is
backed by unswappable memory if privileges allow it, immutable if
privileges allow it, is accessible only to the service's UID, and is
automatically destroyed when the service stops.

Source: https://github.com/systemd/systemd/blob/6706384a89ae0c462e7172588c80667190c4d9e2/NEWS#L320

Update: Turns out this feature was added because of the discussions in NixOS/rfcs#59 (comment). So the answer is probably yes!

cc @flokli @Mic92 @aanderse @arianvp @edolstra @shlevy @d-goldin @globin

Thanks to @poettering for making this possible!

Related:

• Provide options for storing secrets outside the Nix store #24288
• nixos/ldap: unify secrets handling #64951
• systemd: 246.6 -> 247 #102355
• [RFC 0005] Nix encryption rfcs#5
• [RFC 0059]: Systemd Service Secrets rfcs#59
• [RFC 0059]: Systemd Service Secrets rfcs#59 (comment)
• credentials logic to pass privileged data to services systemd/systemd#16568
• RFE: per-service credentials system systemd/systemd#15778

[davidak]

I thought about the issue for 7 minutes.

• When Nix is a package manager, why put your credentials into "packages"? A debian package maintainer wouldn't put his login into the package, so every debian user is logged in as him. Why can't Nix differentiate between packages and configuration?
• When Nix could put configuration files in the nix store with access rights only for the service that needs it (and root for debugging) AND not share those files, the problem would be also solved.

Then the credentials won't have to be state and the configuration is reproducible again.

Related:

• Support private files in the Nix store nix#8

[xaverdh]

also related: #93659

[Mic92]

Also related: Mic92/sops-nix#39 (review)

[happysalada]

I did some testing with a conf akin to the following

        serviceConfig = {
          LoadCredential = "secret_key_base:/run/secrets/unionBlue.secret_key_base";
        };
        environment = {
          SECRET_KEY_BASE = "$CREDENTIALS_DIRECTORY/secret_key_base";
        };

having the /run/secrets being populated with agenix.
Having confirmed that the /run/secrets/unionBlue.secret_key_base was populated, I still get the following error

72670]: union-blue.service: Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/union-blue.service: No such file or directory
72670]: union-blue.service: Failed at step NAMESPACE spawning /nix/store/sxpb7vbxx1kwprnhsvr2cn7l0vssl9r2-union-0.0.1/bin/union: No such file or directory

I'm not sure how to proceed next. I'm interested in testing if anybody has ideas.

[davidak]

@happysalada you could ask upstream (systemd) how the feature should be used in this case if the documentation is not clear. maybe something is still missing which they can add

[happysalada]

submitted systemd/systemd#19604
Will update when I have a working example

[dotlambda]

@happysalada @mjlbach I'm pretty sure these failures are just a problem with how NixOS tests are run. If you try it with e.g. https://github.com/Mic92/nixos-shell there is no problem.

[mjlbach]

What do you mean regarding nixos tests? For that referenced issue I was not using the test that I wrote for dendrite, but trying to start the service directly.

[dotlambda]

You're right, I messed up when testing the configuration.

[happysalada]

just to give a summary of what happened.
It seems that the loadCredential feature doesn't work with systemd 247, but people have reported that it's fixed with 248. There is a PR pending that updates to systemd 248 #123476

the systemd people advise not using environment variables for secrets at all. Meaning that any application written to get secrets (database password for example) from environment variables should be modified to read it from a file instead. To me it seems that this is going to need some work with upstream packages to change the behavior. It seems that some settings like db passwords are most often read from env vars, while things from cert files is most often a file. I'm curious to see how upstream maintainers will react to those proposed changes.

Regarding usage it's a little odd to me, but it seems the way to use this will be pass a file coming from run/secrets. Meaning doing traditional secret management to have secrets be available in /run/secrets/my_secret and then having
serviceConfig.LoadCredential = "my_secret:/run/secrets/my_secret";
then inside your application you would have
my_secret = File.read("$CREDENTIALS_DIRECTORY/my_secret")

Please correct me, If you feel I misunderstood something.

[davidak]

It seems that some settings like db passwords are most often read from env vars

That is very common in Docker, maybe they made it popular.

e.g. https://github.com/docker-library/docs/blob/6b9b7ee305a055ecfe0c9c0b772bc2da176d736e/postgres/README.md#start-a-postgres-instance

it might be OK inside a container, but we should use files

thank you for bringing this topic forward!