|
|
|
|
|
|
by sudahtigabulan
113 days ago
|
|
|
> They sit on disk as plaintext, readable by any process running as your user The proposed solution: > Instead of loading secrets from a file, you use a wrapper script that fetches secrets from a secure store and injects them as environment variables into your process Now they sit "on disk" as plaintext, in /proc/self/environ, still readable by any process running as your user. |
|
|
That’s why I prefer programs that read all configuration from a file: this file can be dumped with fresh secrete value, read by the program and deleted right away once consumed.
Environment variables tend to be messy IMO