Secrets can also slip into your editor's search history.In the Fish shell, run fish -private to start a private mode Fish session.In Bash, the HISTCONTROL variable must be set to ignorespace).In many shells, adding an extra space before a command will exclude it from shell history. Variables can easily end up in shell history.$ BEARER_TOKEN=MhY3b3i3gFpa9otnLQVznJYoWLxpGJUod3iDJwCKRFUVtuALGJooBJuCUf7w9HJfbu Local (unexported) shell variables are also easy to leak into ps output:.They might get dumped to STDOUT or logged to a debug logfile. Exported environment variables will get passed to every new process, and then who knows what will happen to them.In systemd, environment variables in unit files are available to users via the dbus interface (see the recent introduction of LoadCredential= for an alternative that uses credential files).In Docker, anyone with access to the Docker daemon can use docker inspect to see all of the environment variables for any running container.Because a pipe only has two ends, right? Imagine yourself whispering a secret into one end of a pipe, and a friend putting their ear up to the other. Piped SecretsĪs the sanitized example shows, a pipeline is generally an excellent way to pass secrets around, if the program you're using will accept a secret via STDIN. Now, no secrets will appear in ps-only filenames. And -H will read the static bearer token from a file ( api_headers).Once jq pushes the secret JSON into the pipe, curl uses the -d flag to pull the secret data directly from the pipe and use it as the HTTPS request body.The -rawfile flag in jq moves the credentials closer to where they are used by delegating the responsibility for reading the certificate data from the files to jq instead of bash.rawfile ca_cert $STEPPATH/certs/root_ca.crt We'll look at some of the risks of these approaches, and how to use each of them as safely as possible.īut first, let's look at a sanitized version of the above pipeline: jq -n We'll look at three methods for handling secrets on the command line: Using piped data, credential files, and environment variables. To make atonement, I'm writing this post. arg ca_cert "$(/cmdline, which is globally readable for any process ID. I thought I was being very clever when I wrote this lil' Bash pipeline: BEARER_TOKEN=MhY3b3i3gFpa9otnLQVznJYoWLxpGJUod3iDJwCKRFUVtuALGJooBJuCUf7w9HJfbu PUT it to Grafana's API to update the datasource configuration.Build some JSON with the renewed certificate and private key injected into it.The intention was to write something I could run on a timer whenever the certificate is renewed. The other day in my homelab I was configuring a TLS client certificate for a Grafana datasource. So, keeping secrets secret on the command line requires some extra care and effort. The command line really wasn't designed for secrets.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |