Threat Model

The Project based on age, inherited age thread model. See age spec.

Vaultix ensures that your plaintext secrets are never stored in the Nix store with globally readable permissions or written to disk, while also securing them during network transmission.

About "Harvest Now, Decrypt Later"

The Harvest Now, Decrypt Later strategy involves collecting and storing encrypted files with the aim of decrypting them in the future, potentially using quantum computers.

If your configuration is exposed in a public repository, Vaultix—like most other NixOS secret management solutions—cannot fully mitigate this risk. For more context, see this issue and discussion.

For those concerned about this threat, consider using age-plugin-sntrup761x25519, which offers post-quantum encryption. This plugin relies on Rust bindings for C implementations of cryptographic algorithms from the NIST Post-Quantum Cryptography competition. However, it’s important to note that this solution has not undergone extensive security review.