Aaron Mulder via plug on 11 Jan 2024 05:52:08 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] secure variables in bash

Isn’t the usual way to have the process read it from a file or environment variable?  How can you hide it if you put it into the command line?

Thanks,
      Aaron

On Thu, Jan 11, 2024 at 8:46 AM Rita via plug <plug@lists.phillylinux.org> wrote:
The root process can have the password, thats OK. Someone else on the same system (ps, /proc/) shouldn't be able to see it. 


On Wed, Jan 10, 2024 at 9:48 PM K.S. Bhaskar via plug <plug@lists.phillylinux.org> wrote:
It seems to me that the big question when it comes to keeping secrets is who you want to share it with, and importantly, who you want to keep it from. A root process? Someone on another system who might see it on a core dump?

Regards
– Bhaskar

On Wed, Jan 10, 2024 at 8:18 PM Rita via plug <plug@lists.phillylinux.org> wrote:
I am hoping there is a clever, unix-y way to do this. 

I have something like this, 

secret=$(curl https://server/api/creds | jq .Secret)
process --secret=$secret

This works fine, but I was wondering if there was a better way to secure my "secret" with tools like ssh, gpg, etc..

My intention is to avoid seeing secret from `ps` or `bash -x`.  It seems deceptively simple but quite hard to do.

Any ideas?




--
--- Get your facts first, then you can distort them as you please.--
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


--
--- Get your facts first, then you can distort them as you please.--
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug