| 9 Nov 2025 |
 K900 | iff you want to use it with agenix, yes | 14:01:07 |
 faye | * That was on my to-do list frankly, I just haven't got around to switching yet | 14:01:07 |
| 12 Nov 2025 |
|  Inayet changed their display name from inayet to Inayet. | 12:37:03 |
| 16 Nov 2025 |
|  @kttns0ut:matrix.org left the room. | 19:29:40 |
| 17 Nov 2025 |
|  Sylkos joined the room. | 20:16:28 |
| 18 Nov 2025 |
|  @eschguy:matrix.org left the room. | 20:47:57 |
| 19 Nov 2025 |
|  tioan joined the room. | 19:38:35 |
| 20 Nov 2025 |
|  John joined the room. | 05:37:45 |
| 21 Nov 2025 |
|  jappie joined the room. | 17:01:57 |
|  isabel changed their profile picture. | 18:14:24 |
| 23 Nov 2025 |
 Alexandros Liarokapis | Hi there. Is there an actual security advantage of not keeping secrets decrypted at rest say at /var/lib/agenix/secrets or similar and instead decrypting on startup? What is the threat model here exactly? If they could get access to /var/lib/agenix/secrets or similar they should also be able to get access to private decryption keys | 23:12:11 |
| K900 | You still need to redecrypt on activation | 23:14:09 |
| K900 | And activation generally runs before everything else. | 23:14:17 |
| K900 | So it doesn't really matter in practice | 23:14:27 |
| K900 | I feel like a better question is, what are you trying to do where this difference matters? | 23:15:25 |
| Alexandros Liarokapis | The reason I am asking is because I am writing a small bitwarden secret manager module which would fetch secrets through network call so I want some way to store the secrets in case network is not available and thinking whether or not keeping encrypted at rest gives any security advantage. I can see this being the case if TPM is used to store the key for example but not for normal ssh keys. | 23:15:21 |
| Alexandros Liarokapis | idea is you add the machine-scoped/project-scoped/secret-scoped BWS key on /var/lib/bws/auth or similar. Rest of the interface is pretty much the same as agenix minus the age/ssh-specific configs and using .id instead of .file And I am kind of split between keeping the secrets at /var/lib/bws/secrets unencrypted but with proper permissions or encrypting with some identity key as agenix and decrypting on startup to /run/secrets but I don't think the latter gives any security advantage in practice, I /could/ use TPM however which would give some protection against stolen disk contents. | 23:19:08 |
| 3 Dec 2025 |
|  Gus joined the room. | 12:29:10 |
| 4 Dec 2025 |
|  @onur-ozkan:matrix.org joined the room. | 04:20:47 |
| isabel changed their profile picture. | 16:42:13 |
| 11 Dec 2025 |
|  suua joined the room. | 16:11:07 |
| 12 Dec 2025 |
|  whispers [& it/fae] changed their profile picture. | 04:51:16 |
| 13 Dec 2025 |
|  MartiniMoe left the room. | 07:35:43 |
|  Josh joined the room. | 22:41:55 |
| Josh | Redacted or Malformed Event | 23:20:22 |
| Josh changed their display name from Joshua Campbell to Josh. | 23:25:01 |
| 16 Dec 2025 |
|  @azahi:azahi.cc joined the room. | 18:22:06 |
| 17 Dec 2025 |
|  aura joined the room. | 11:03:34 |
| 24 Dec 2025 |
|  pltrz joined the room. | 12:36:21 |
| 26 Dec 2025 |
| isabel changed their profile picture. | 11:37:59 |
