Sécurix is an alpha‑stage, NixOS‑derived operating system designed by the French DINUM’s OPI department to provide reproducible, policy‑driven hardening for small‑to‑medium teams. By embedding ANSSI recommendations, TPM2/Yubikey support, FIDO2‑only login and optional Vault/age encryption, it offers a modular security posture that can be tuned per use‑case while remaining fully declarative and reproducible.
Thesis
Sécurix attempts to answer a persistent tension in public‑sector IT: how to deliver a workstation that is both highly secure and easily reproducible across diverse teams. By building on NixOS, a Linux distribution whose entire system configuration is expressed as pure functional code, Sécurix can instantiate a hardened environment on demand, enforce ANSSI‑mandated policies, and integrate modern hardware‑root‑of‑trust mechanisms such as TPM2 and FIDO2. The project is still in alpha, but its architecture illustrates a compelling blueprint for policy‑driven secure workstations.
Key Arguments
1. Declarative Hardening via NixOS
NixOS stores the complete system state in a single, immutable description (configuration.nix). Sécurix leverages this to encode ANSSI hardening rules—kernel parameter tweaks, disabled modules, mandatory access controls—directly into the OS image. Because the configuration is version‑controlled, any deviation can be detected automatically, and the same build can be reproduced on any machine, ensuring configuration drift is eliminated.
2. Flexible Security Posture
The project’s design acknowledges that not every team needs the same level of protection. Certain ANSSI rules can be toggled off via Nix options, allowing a multi‑agent workstation (e.g., a developer who needs container runtimes) to coexist with a high‑assurance intranet‑only node. This modularity is achieved without forking the kernel; instead, Sécurix ships a custom Linux kernel pre‑patched according to ANSSI guidelines, with optional patches that can be enabled or disabled at build time.
3. Hardware‑Rooted Identity and Encryption
Sécurix integrates TPM2 for secure key storage and Yubikey/FIDO2 for authentication. The primary login method is password‑less, relying on a FIDO2 token that also unlocks the encrypted disk. A fallback password exists only as a last‑resort recovery mechanism. Disk encryption can be performed with age, a modern, simple tool, or delegated to an external Vault service for enterprise key management. This dual‑path approach provides both simplicity for small teams and scalability for larger deployments.
4. Centralised On‑boarding and Telemetry
A planned "phone‑home" server will automate the enrollment of new workstations:
- The machine’s TPM2‑derived SSH key is pushed to an infrastructure repository.
- Permissions to decrypt secrets via age (or Vault) are granted automatically.
- Secure‑Boot keys (PK/KEK) can be rotated centrally. This infrastructure reduces the manual steps traditionally required for secure bootstrapping and aligns with zero‑trust principles by ensuring each node proves its identity before receiving secrets.
5. Test‑Driven Assurance
Sécurix ships a NixOS test suite that spins up a virtual machine, applies the configuration, and validates expected security properties (e.g., kernel hardening flags, TPM presence, encrypted root). Running nix-build -A tests produces reproducible test artifacts, reinforcing confidence that the declared configuration matches the runtime state.
Implications
- Operational Consistency: Teams can share a single declarative definition of a secure workstation, guaranteeing that every laptop complies with the same baseline.
- Regulatory Alignment: By adhering to ANSSI recommendations, French public agencies can demonstrate compliance during audits without bespoke hardening scripts.
- Scalable Trust: The combination of TPM2, FIDO2, and optional Vault integration creates a layered trust model that can be extended to larger federations of machines.
- Open‑Source Transparency: Released under the MIT license, Sécurix invites external review of its hardening choices, a crucial factor for public‑sector security.
Counter‑Perspectives
- Alpha Maturity: The project is explicitly marked as alpha; many components (e.g., the phone‑home server, full Secure‑Boot rotation) remain in development, which may limit immediate adoption.
- Complexity for Small Teams: While NixOS offers reproducibility, its learning curve is steep. Teams without existing Nix expertise might struggle to maintain the configuration.
- Hardware Dependency: Full security benefits require TPM2 and FIDO2 hardware. Legacy devices lacking these components cannot participate without compromising the intended security model.
- Vendor Lock‑in Risk: Relying on French‑specific ANSSI guidelines may make the OS less attractive for organizations operating under different regulatory frameworks.
Conclusion
Sécurix exemplifies how a declarative, reproducible OS can be engineered to meet stringent governmental security standards while offering the flexibility needed for varied team requirements. Its integration of modern hardware trust anchors and a vision for automated onboarding positions it as a reference implementation for secure workstations, provided the community can mature the remaining components and lower the entry barrier for Nix newcomers.
{{IMAGE:1}}
For more details, consult the GitHub repository and the linked ANSSI documentation.
Comments
Please log in or register to join the discussion