How to Handle Secrets on the Command Line

We’ll look at three methods for handling secrets on the command line: Using piped data, credential files, and environment variables. For example, say we have a $STEP_CA_PASSWORD environment variable, and we run the following in Bash:The /proc/<pid>/cmdline for this process will contain something like:Using this <() syntax of process substitution, Bash will create a file using the output of echo -n "$STEP_CA_PASSWORD" and supply that file’s name to --password-file.Great, right? The downside is that it appears unsafe, because $STEP_CA_PASSWORD is still getting substituted into something that certainly looks like it’s a command.Secrets managers can be great because they can make it easier to get secrets closer to where they are used. If you run ps during the curl command shown here, you’ll see:Now technically, if a system is overloaded enough, it could be possible to grab the secret from /proc/<pid>/cmdline before curl has a chance to overwrite it.