From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id x8hnIHONKWC5GwAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 14 Feb 2021 20:52:03 +0000
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id 8G3RG3ONKWBZCAAA1q6Kng
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 14 Feb 2021 20:52:03 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 3D6D716133
	for <larch@yhetil.org>; Sun, 14 Feb 2021 21:52:03 +0100 (CET)
Received: from localhost ([::1]:36524 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lBON8-0005zm-Dr
	for larch@yhetil.org; Sun, 14 Feb 2021 15:52:02 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:37940)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo.prikler@student.tugraz.at>)
 id 1lBON0-0005zc-2U
 for guix-devel@gnu.org; Sun, 14 Feb 2021 15:51:54 -0500
Received: from mailrelay.tugraz.at ([129.27.2.202]:45390)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo.prikler@student.tugraz.at>)
 id 1lBOMx-0006yM-4p
 for guix-devel@gnu.org; Sun, 14 Feb 2021 15:51:53 -0500
Received: from nijino.local (217-149-164-20.nat.highway.telekom.at
 [217.149.164.20])
 by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4DdztR16TZz3x75;
 Sun, 14 Feb 2021 21:51:42 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at;
 s=mailrelay; t=1613335903;
 bh=JGWf40uApZcMuNJklvGxgkKQLiwf9Vd5bkiK3wmOFzc=;
 h=Subject:From:To:Cc:Date:In-Reply-To;
 b=mMvAW52DyN2FfkS/3BMZw4uFpjjwVZQr0b0n0b+KWoMKSTj9dIKn4wBjdTtvoqk1w
 JzJLWg0Wmc84JAJI2LWJ2PRrRJCfqN7Gp6Egfj2DGRwhnLyyl1aL2ZdmOpYg9Qre8C
 eBNlsaxngSn4pbCpnViMrqn3xdtW6zK5M4jqcygs=
Message-ID: <f246259a3f4202104875f2f243f45193efe3da58.camel@student.tugraz.at>
Subject: Re: How to store secrets when using guix deploy?
From: Leo Prikler <leo.prikler@student.tugraz.at>
To: jbranso@dismail.de, inbox@leefallat.ca
Date: Sun, 14 Feb 2021 21:51:41 +0100
In-Reply-To: 87lfbqio8q.fsf@dismail.de
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TUG-Backscatter-control: bt4lQm5Tva3SBgCuw0EnZw
X-Spam-Scanner: SpamAssassin 3.003001 
X-Spam-Score-relay: -1.9
X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116
Received-SPF: pass client-ip=129.27.2.202;
 envelope-from=leo.prikler@student.tugraz.at; helo=mailrelay.tugraz.at
X-Spam_score_int: -42
X-Spam_score: -4.3
X-Spam_bar: ----
X-Spam_report: (-4.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3,
 RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Cc: guix-devel@gnu.org
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Spam-Score: -2.06
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=tugraz.at header.s=mailrelay header.b=mMvAW52D;
	dmarc=pass (policy=none) header.from=student.tugraz.at;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 3D6D716133
X-Spam-Score: -2.06
X-Migadu-Scanner: scn0.migadu.com
X-TUID: H1XZ1QkB0B9U

Hello,

Guix itself does not handle any secrets yet -- at best you could
consider the password field of the user-account structure to be one,
and that is not particularly kept a secret either (it shows up as
plaintext).  Depending on your use-case, there might also be services
like the letsencrypt-service-type to generate X.509 certificates. 
Other than that, you may be able to send some already encrypted file to
your machine, but you'll have to manually set up decryption through
other means unless you want plaintext in your store again.

That's the status quo as far as I understand.  How it *should* handle
secrets remains an open question if I recall correctly.

Regards,
Leo