TLS
JSON
API
/dev
STDIN
CLI
Tiny Certificate Authority
HomelabThe Embarrassing State of Enterprise ACME Support
Grafana
ID.To
Except…wouldn’t
keyctl
No matching tags
Linux
No matching tags
Nice
risk?Now
No matching tags
We’ll look at three methods for handling secrets on the command line: Using piped data, credential files, and environment variables. For example, say we have a $STEP_CA_PASSWORD environment variable, and we run the following in Bash:The /proc/<pid>/cmdline for this process will contain something like:Using this <() syntax of process substitution, Bash will create a file using the output of echo -n "$STEP_CA_PASSWORD" and supply that file’s name to --password-file.Great, right? The downside is that it appears unsafe, because $STEP_CA_PASSWORD is still getting substituted into something that certainly looks like it’s a command.Secrets managers can be great because they can make it easier to get secrets closer to where they are used. If you run ps during the curl command shown here, you’ll see:Now technically, if a system is overloaded enough, it could be possible to grab the secret from /proc/<pid>/cmdline before curl has a chance to overwrite it.
As said here by Carl Tashian