| | 1 | Letβs go through this from a security architecture perspective, and identify: |
| | 2 | |
| | 3 | Potential risks |
| | 4 | |
| | 5 | Mitigation strategies |
| | 6 | |
| | 7 | Recommendations specific to Guix in air-gapped, classified use |
| | 8 | |
| | 9 | π‘οΈ Security Risks in an Air-Gapped Guix Workflow |
| | 10 | 1. Supply Chain Attacks via Source Code |
| | 11 | Even though you're building from source, the upstream source code (tarballs, Git repos) may be maliciously modified. |
| | 12 | |
| | 13 | Guix uses cryptographic hash verification, but only against what is declared in the Guix package definition β not against independent trust anchors. |
| | 14 | |
| | 15 | β
Mitigations: |
| | 16 | |
| | 17 | Use guix build --source with hash-locked package definitions (content-addressed derivations). |
| | 18 | |
| | 19 | Use reproducible builds and determinism checks (e.g., compare build outputs across trusted builders). |
| | 20 | |
| | 21 | Consider maintaining a private mirror of trusted source code, and pin hash checks yourself. |
| | 22 | |
| | 23 | Use content scanning tools (e.g., static analyzers) on all .tar.gz and Git checkouts. |
| | 24 | |
| | 25 | 2. Compromise via Channel Updates |
| | 26 | Your Guix package definitions come from Git channels (e.g., guix.git, or your own). |
| | 27 | |
| | 28 | If your channel is compromised, malicious package definitions could be delivered. |
| | 29 | |
| | 30 | β
Mitigations: |
| | 31 | |
| | 32 | Use a pinned commit hash in your channels.scm. |
| | 33 | |
| | 34 | Verify the channel commit with signed Git commits or tags (Guix supports this). |
| | 35 | |
| | 36 | Host your own internal Guix channel for critical environments β control what definitions are trusted. |
| | 37 | |
| | 38 | Use guix time-machine to avoid rolling updates. |
| | 39 | |
| | 40 | 3. Media Transfer Risks (USB, SD cards) |
| | 41 | USB drives used for transferring .nar files or source archives can be a vector for malware, even in an air-gapped setup. |
| | 42 | |
| | 43 | β
Mitigations: |
| | 44 | |
| | 45 | Always format and scan USB media on a controlled, known-clean staging machine before inserting into classified systems. |
| | 46 | |
| | 47 | Use write-once optical media (DVD-R) where appropriate for immutable transfer. |
| | 48 | |
| | 49 | Prefer hash verification of transferred files (sha256sum sources.nar) using offline-known-good hashes. |
| | 50 | |
| | 51 | 4. Build Environment Leakage |
| | 52 | If the build process writes temporary files or outputs data to places outside the Guix store, secrets or traces of sensitive data could leak or persist. |
| | 53 | |
| | 54 | β
Mitigations: |
| | 55 | |
| | 56 | Use guix build inside a dedicated, minimal, reproducible system (e.g., a guix system vm). |
| | 57 | |
| | 58 | Enable build sandboxing (enabled by default in Guix). |
| | 59 | |
| | 60 | Disable networking in builders if not already (Guix does this by default, but confirm your configuration). |
| | 61 | |
| | 62 | Consider full-disk encryption for the build system. |
| | 63 | |
| | 64 | 5. Tampered Nar Archives |
| | 65 | .nar archives imported into your air-gapped server could be tampered with in transit. |
| | 66 | |
| | 67 | β
Mitigations: |
| | 68 | |
| | 69 | Sign the archive on the export side and verify the signature on the import side. |
| | 70 | |
| | 71 | Use GPG or minisign for signing hashes. |
| | 72 | |
| | 73 | Maintain a hash whitelist of approved .nar files on the classified system. |
| | 74 | |
| | 75 | Store all .nar imports in a sealed append-only log for auditing. |
| | 76 | |
| | 77 | β
High-Security Recommendations for Guix in Classified Environments |
| | 78 | |
| | 79 | Concern Recommendation |
| | 80 | Source authenticity Use fixed-output derivations with pinned hashes |
| | 81 | Package definition trust Host internal Guix channel; pin commit hashes |
| | 82 | Archive integrity Sign .nar files and verify signatures |
| | 83 | Reproducibility Use multiple offline builders to cross-check outputs |
| | 84 | Logging Keep an audit trail of all imports and builds |
| | 85 | Isolation Build in virtual machines or system containers with no network |
| | 86 | Transfer media Sanitize USBs or use write-once optical media |
| | 87 | User separation Separate users for import, build, audit, and deployment tasks |
| | 88 | π Final Thoughts |
| | 89 | Guix offers an excellent foundation for secure, reproducible software environments. |
| | 90 | |
| | 91 | But air-gapped security is about the whole process, not just the tooling. |
| | 92 | |
| | 93 | You should treat the Guix channel, source transport, build environment, and auditability as a single trusted pipeline. |
