Comprehensive Comparison of Six Key Management Tools for NixOS and Tips for Secure Operations

What Is the Optimal Solution for Secret Key Management in NixOS Based on Years of Experience?

NixOS is a Linux distribution renowned for its reproducibility. However, managing “secrets” such as server passwords and API keys presents unique challenges specific to NixOS. At the core of these challenges is the inherent characteristic of the Nix store being world-readable.

Developer Isabel Roses, who has used NixOS for three years, shared her insights in her blog, comparing six (or seven) major secret management tools. Her findings serve as a practical guide for developers seeking secure operations on NixOS.

Three Methods You Should Absolutely Avoid

Roses begins by highlighting three methods that must never be used on shared machines or public repositories:

1. Storing secrets directly in the filesystem, sacrificing reproducibility.
2. Saving secrets in private Git repositories.
3. Embedding secret keys directly in Nix configuration files.

The danger of these methods lies in the world-readable nature of the Nix store. In other words, any user with access to the machine can read secret keys via the store. Roses underscores the severity of this issue by referencing recent vulnerabilities such as CVE-2026-31431 (copyfail) and CVE-2026-43284, CVE-2026-43500 (dirtyfrag). She also shares her personal experience of inadvertently leaking secret keys in the past.

Tools to Consider: “sops-nix” and “agenix/ragenix”

For secure operations, using dedicated tools is essential. Roses explored major tools such as sops-nix, agenix, and ragenix.

sops-nix: A Staple Tool with Mixed Feelings

sops-nix was the first tool Roses tried, but its initial complexity led her to abandon it temporarily. However, she now appreciates its improved documentation and the ability to encrypt and decrypt data directly using SSH keys.

The usage involves defining encryption rules in a .sops.yaml file and editing YAML-format secret files using the sops command. Files are automatically encrypted.

She notes, however, that sops-nix has yet to fully integrate support for the new SSH key feature, pointing readers to GitHub issues (sops-nix#779, sops-nix#922) for more details.

agenix/ragenix: Ideal for Simplicity

agenix and its fork, ragenix, employ age-based encryption, which can be simpler to configure compared to sops-nix. Roses lists these tools as significant options for consideration.

The Philosophy Behind Tool Selection

Roses’ comparison highlights the trade-offs between usability, security, and reproducibility. While sops-nix offers rich functionality and flexibility, its learning curve is steep. In contrast, agenix is lightweight but may become cumbersome if managing a large number of keys.

The key takeaway is that regardless of the tool chosen, developers must understand NixOS’s fundamental constraint (i.e., the store’s readability) and design their systems to mitigate this. Roses’ candid discussion of her own “errors” reflects the collective wisdom accumulated in the community surrounding this issue.

Future Outlook and Recommended Actions

The NixOS community continues to address this issue through improved documentation and integration of new features in existing tools. Users are advised first to check whether their configurations are managed in public repositories or whether their machines are shared.

Afterwards, trying either sops-nix or agenix and starting with small secrets is recommended. Security is not a one-time setup but rather a continuous improvement process.

---

FAQ

Q: I’m new to NixOS. Which tool should I start with?
A: Considering its current documentation and SSH key support, sops-nix is a strong candidate. Although it may seem complex at first, it offers long-term operational flexibility. Start with small secret files on a test virtual machine, following the documentation step-by-step.

Q: Is it safe to store secret keys in a Git repository using git-crypt?
A: No, this approach is not a fundamental solution for NixOS. Even if files in a repository are encrypted using git-crypt, the decrypted plaintext will be stored in the world-readable Nix store during the build process. Dedicated secret management tools are distinct in that they control how secrets are stored in the Nix store itself.

Q: What is CVE-2026-31431 (copyfail), a currently active threat?
A: While the article only mentions the name and CVE number without technical details, this vulnerability is actively discussed within the NixOS security community. It serves as a reminder of the importance of secret key management. For the latest information, check NixOS’s official security advisories.