NixOS and Secrets

NixOS에서 비밀 관리 도구로 sops-nix와 agenix가 주요하게 사용된다. sops-nix는 하나의 파일에 많은 비밀을 담을 수 있어 규모가 큰 서비스에 적합하며, SSH 키를 이용한 암호화 지원이 개선되고 있다. agenix는 단순하고 직관적인 구성으로 각 비밀마다 별도의 파일과 접근 제어를 관리하며, 소규모 또는 독립적인 토큰 관리에 적합하다. 파일시스템 직접 사용은 재현성과 보안 측면에서 권장되지 않으며, 비밀을 공개 저장소나 nix 구성에 평문으로 두는 것은 심각한 보안 위험을 초래한다. 두 도구 모두 포스트 양자 암호화 지원에 제한이 있으나, age 툴의 최신 버전은 이를 지원한다.

https://isabelroses.com/blog/nixos-and-secrets/

#nixos #secretsmanagement #sopsnix #agenix #encryption

Learn effective strategies for handling cluster secrets and embedded DS ports in ForgeOps to enhance security and performance.

https://iamdevbox.com/posts/strategies-for-managing-cluster-secrets-and-embedded-ds-ports-in-forgeops/?utm_source=mastodon&utm_medium=social&utm_campaign=blog_post

#forgeops #secretsmanagement #devops #tutorial

#secretsmanagement basics

https://www.adfinis.com/en/news/openbao-basics-what-is-secrets-management

#openbao #opensource

🚀 New Talk Dropped for BSides Luxembourg 2026!

🔐🧰 𝗧𝗨𝗥𝗡𝗞𝗘𝗬 𝗖𝗢𝗗𝗘 – 𝗘𝗡𝗛𝗔𝗡𝗖𝗜𝗡𝗚 𝗦𝗘𝗖𝗥𝗘𝗧𝗦 𝗠𝗔𝗡𝗔𝗚𝗘𝗠𝗘𝗡𝗧 𝗜𝗡 𝗟𝗔𝗥𝗚𝗘 𝗦𝗖𝗔𝗟𝗘 𝗢𝗥𝗚𝗔𝗡𝗜𝗭𝗔𝗧𝗜𝗢𝗡𝗦 — Diogo Lemos

⚡ Dive into a Talk (40 min) on building scalable secrets detection systems that actually reduce noise, improve triage, and integrate into real-world CI/CD pipelines.

Secrets leakage remains one of the most persistent problems in modern software development, not because tools don’t exist, but because they fail at scale—producing too many false positives and too little actionable context. This session explores how a real-world turnkey platform was designed to solve this gap using open-source tooling, smarter validation, and CI/CD-native workflows.

Through architecture insights and live demonstrations, learn how scanning strategies, confidence scoring, and automation can transform secrets detection from a noisy checkbox into a reliable security process. The talk also highlights practical lessons from deploying and scaling such a system in production environments.

Diogo Lemos is an Application Security Engineer with experience at Checkmarx, Flutter Entertainment, and OLX, specializing in scalable AppSec programs, automation, and cloud security. He actively contributes to open-source security tooling and speaks internationally on practical SAST, SCA, and secrets management solutions.

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/

📅 Schedule Link: https://pretalx.com/bsidesluxembourg-2026/schedule/

📲 View full schedule & build your agenda: https://hackertracker.app/schedule?conf=BSIDESLUX2026

#BSidesLuxembourg2026 #SecretsManagement #AppSec #DevSecOps #SAST #CyberSecurity

GitGuardian's 2026 report found 29M secrets on public GitHub — AI service credentials surged 81% YoY, and 64% of exposed secrets from 2022 are still valid today. Learn how to eliminate NHI secrets sprawl with workload identity federation, vault-based dynamic credentials, and automated rotation.

https://iamdevbox.com/posts/nhi-secrets-sprawl-fixing-the-non-human-identity-credential-crisis/?utm_source=mastodon&utm_medium=social&utm_campaign=blog_post

#nonhumanidentity #secretsmanagement #NHI #De

Every CI/CD pipeline I've audited had at least one hardcoded secret. Developer adds a credential "temporarily," it persists in git history forever. Internal repos give false security; one compromised workstation exposes every secret in source control.

Pipeline credentials are privileged credentials outside PAM governance. Vault them. Rotate them. Monitor them.

#DevSecOps #SecretsManagement #PAM

GitGuardian's Secrets Sprawl report found millions of new exposed secrets in public repos annually. Enterprise internal repos are arguably worse: "it's internal, so it's fine" ignores that one compromised dev workstation exposes every credential in source control.

Pipeline credentials typically have write access to production databases and cloud deployment permissions. That's privileged access by any definition, outside PAM governance.

#DevSecOps #SecretsManagement #PAM

Даёшь самоуправление! Управляем конфигурацией HashiСorp Vault изнутри, опираясь на Git и кворум подписей

При управлении доступом в HashiCorp Vault есть выбор: делать это либо супербезопасно, но неудобно, либо удобно, но с риском компрометации секретов. В первом случае вы отзываете root-токен после инициализации хранилища и для каждого изменения конфигурации собираете кворум владельцев Shamir-ключей. Во втором — применяете конфигурацию через CI/CD или из-под администратора, и тогда где-то обязательно существует «кольцо всевластия»: токен или пароль, компрометация которого даёт полный контроль над инфраструктурой секретов. Мы решили объединить безопасность и удобство в одном решении. Взяли идею кворума и привычный инженерному сообществу способ аудита изменений — коммиты в Git. Что получилось — читайте под катом. Cпойлер: вы сможете использовать это решение бесплатно.

https://habr.com/ru/companies/flant/articles/1014914/

#deckhouse_stronghold #hashicorp_vault #hashicorp_terraform #gitops #secrets #secretsmanagement #плагин