Merge pull request #14557 from raboof/document-avoiding-secrets-in-the-store

Mic92 · web-flow · commit f98bc8f41fef · 2025-11-13T14:40:00.000Z
docs: avoid secrets in the nix store
diff --git a/doc/manual/source/SUMMARY.md.in b/doc/manual/source/SUMMARY.md.in
@@ -29,6 +29,7 @@
   - [Build Trace](store/build-trace.md)
   - [Derivation Resolution](store/resolution.md)
   - [Building](store/building.md)
+  - [Secrets](store/secrets.md)
   - [Store Types](store/types/index.md)
 {{#include ./store/types/SUMMARY.md}}
   - [Appendix: Math notation](store/math-notation.md)
diff --git a/doc/manual/source/store/secrets.md b/doc/manual/source/store/secrets.md
@@ -0,0 +1,20 @@
+# Secrets
+
+The store is readable to all users on the system. For this reason, it
+is generally discouraged to allow secrets to make it into the store.
+
+Even on a single-user system, separate system users isolate services
+from each other and having secrets that all local users can read
+weakens that isolation. When using external store caches the secrets
+may end up there, and on multi-user systems the secrets will be
+available to all those users.
+
+Organize your derivations so that secrets are read from the filesystem
+(with appropriate access controls) at run time. Place the secrets on
+the filesystem manually or use a scheme that includes the secret in
+the store in encrypted form, and decrypts it adding the relevant
+access control on system activation.
+Several such schemes for NixOS can in the
+[comparison of secret managing schemes] on the wiki.
+
+[comparison of secret managing schemes]: https://wiki.nixos.org/wiki/Comparison_of_secret_managing_schemes
