Skip to content

Dhparams

security.dhparams.defaultBitSize

This allows to override the default bit size for all of the Diffie-Hellman parameters set in {option}security.dhparams.params.

Type: integer of at least 16 bits

Default

2048

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/dhparams.nix

security.dhparams.enable

Whether to generate new DH params and clean up old DH params.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/dhparams.nix

security.dhparams.params

Diffie-Hellman parameters to generate.

The value is the size (in bits) of the DH params to generate. The generated DH params path can be found in config.security.dhparams.params.«name».path.

::: {.note} The name of the DH params is taken as being the name of the service it serves and the params will be generated before the said service is started. :::

::: {.warning} If you are removing all dhparams from this list, you have to leave {option}security.dhparams.enable for at least one activation in order to have them be cleaned up. This also means if you rollback to a version without any dhparams the existing ones won't be cleaned up. Of course this only applies if {option}security.dhparams.stateful is true. :::

::: {.note} For module implementers: It's recommended to not set a specific bit size here, so that users can easily override this by setting {option}security.dhparams.defaultBitSize. :::

Type: attribute set of ((submodule) or signed integer convertible to it)

Default

{ }

Example

{ nginx.bits = 3072; }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/dhparams.nix

security.dhparams.params.<name>.bits

The bit size for the prime that is used during a Diffie-Hellman key exchange.

Type: integer of at least 16 bits

Default

config.security.dhparams.defaultBitSize

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/dhparams.nix

security.dhparams.params.<name>.path

The resulting path of the generated Diffie-Hellman parameters file for other services to reference. This could be either a store path or a file inside the directory specified by {option}security.dhparams.path.

Type: path

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/dhparams.nix

security.dhparams.path

Path to the directory in which Diffie-Hellman parameters will be stored. This only is relevant if {option}security.dhparams.stateful is true.

Type: string

Default

"/var/lib/dhparams"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/dhparams.nix

security.dhparams.stateful

Whether generation of Diffie-Hellman parameters should be stateful or not. If this is enabled, PEM-encoded files for Diffie-Hellman parameters are placed in the directory specified by {option}security.dhparams.path. Otherwise the files are created within the Nix store.

::: {.note} If this is false the resulting store path will be non-deterministic and will be rebuilt every time the openssl package changes. :::

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/dhparams.nix