Skip to Content
Determinate Secure Packages

Determinate Secure Packages

Determinate Secure Packages provides secure, signed, auditable Nix packages that you can trust. It’s built on Nixpkgs, the world’s largest package repository, and adds the enterprise-grade security, compliance controls, and managed vulnerability remediation demanded by production systems in critical industries, including support for Federal Information Processing Standards (FIPS).

Determinate Secure Packages is available through FlakeHub to organizations that have been provided access. Contact us at sales@determinate.systems to discuss terms of access or schedule a demo.

System support

These systems are fully supported, with covered packages pre-built and cached in FlakeHub Cache:

  • x86_64-linux (64-bit x86 Intel/AMD Linux)
  • aarch64-linux (64-bit ARM Linux)
  • aarch64-darwin (64-bit ARM macOS)

These systems are partially supported, which means that covered packages are not pre-built/cached and no release metadata is provided:

  • x86_64-darwin (64-bit Intel/AMD macOS) is available as a legacy target
  • riscv64-linux (64-bit RISC-V) is available as an upcoming target

Variants

There are two variants of Determinate Secure Packages via FlakeHub (accessible only if you have access and are logged in):

  1. The standard variant at DeterminateSystems/secure. You should use this unless you’re sure that you need FIPS support.
  2. The FIPS variant at DeterminateSystems/secure-fips.

Requirements

If you’d like to use Determinate Secure Packages, you need to ensure that:

  • Your organization has access.
  • You’ve installed Determinate Nix. In CI environments, use the Determinate Nix Action to install it (authentication with FlakeHub is automatic).
  • You’ve authenticated with FlakeHub and thereby with FlakeHub Cache. Authentication happens automatically in cloud environments like Amazon Web Services and CI/CD environments like GitHub Actions.

Usage

Once you’ve checked those boxes, you can add Determinate Secure Packages to an existing flake using fh, the CLI for FlakeHub:

fh add DeterminateSystems/secure

Or you can add it manually:

flake.nix
{
  inputs.nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/secure/0";
}

Using the FIPS variant

Determinate Secure Packages also has a variant in which all covered packages are compliant with Federal Information Processing Standards (FIPS). This variant actives FIPS mode for widely used packages like OpenSSL, Network Security Service (NSS), GnuTLS, and Cryptsetup, as well as any packages that depend on them.

The instructions for this variant are analogous to those above, except that:

  1. You can run fh add DeterminateSystems/secure-fips to add it to a flake
  2. You need to use the flake input https://flakehub.com/f/DeterminateSystems/secure-fips/0 in your flakes

Another option for FIPS support is to set config.enableFIPS = true when importing the secure variant:

flake.nix
{
  inputs.nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/secure/0";
 
  # In your outputs block
  pkgs = import inputs.nixpkgs {
    # Other attributes
    config.enableFIPS = true;
  };
}

In general, though, we recommend using the DeterminateSystems/secure-fips flake instead of this approach.

Example flake

The flake below uses Determinate Secure Packages with FIPS enabled to output a dev shell with OpenSSL available:

flake.nix
{
  inputs.nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/secure-fips/0";
 
  outputs =
    { self, ... }@inputs:
    let
      supportedSystems = [
        "x86_64-linux" # 64-bit x86 Intel/AMD Linux
        "aarch64-linux" # 64-bit ARM Linux
        "aarch64-darwin" # 64-bit ARM macOS
      ];
 
      forEachSupportedSystem =
        f:
        inputs.nixpkgs.lib.genAttrs supportedSystems (
          system:
          f {
            pkgs = import inputs.nixpkgs { inherit system; };
          }
        );
    in
    {
      devShells = forEachSupportedSystem (
        { pkgs }:
        {
          default = pkgs.mkShell {
            packages = with pkgs; [
              openssl
            ];
          };
        }
      );
    };
}

Package inclusion

You can use any package available in the revision of Nixpkgs from which a specific release of Determinate Nix Packages was built (evaluate it, build it, run it, and so on). Determinate Systems actively monitors, patches (if necessary), builds, and caches a carefully chosen of subset of all available packages. That includes packages for which FIPS support is relevant as well as:

  • A variety of packages deemed of critical importance, such as widely used shells and shell utilities, systemd, various language compilers, and more.
  • All of the packages necessary to build Determinate Nix, FlakeHub, and other Determinate Systems software
  • All of the packages necessary to build a baseline NixOS system

This curated package set will grow over time in response to customer and community needs (in order of importance).

Release metadata

Each Determinate Secure Packages release—for both the secure and secure-fips variants—includes per-system metadata files in the artifacts directory:

PurposeFiles
A full list of store paths included in the curated package setclosure-x86_64-linux.json
closure-aarch64-linux.json
closure-aarch64-darwin.json
A Software Bill of Materials (SBOM) for the full curated package set in CycloneDX formatsbom-x86_64-linux.cyclonedx.json
sbom-aarch64-linux.cyclonedx.json
sbom-aarch64-darwin.cyclonedx.json

A Nix-based way to access these files is to clone the flake locally using Determinate Nix’s nix flake clone command. Here’s an example for the secure variant:

nix flake clone "https://flakehub.com/f/DeterminateSystems/secure/0" --dest nixpkgs
cat ./nixpkgs/artifacts/closure-aarch64-darwin.json | jq .

In order to clone Determinate Secure Packages flakes, you need to be in an organization with access to this product as well as logged in to FlakeHub.

Last updated on
FAQLearn Nix