Comment by otabdeveloper4

16 hours ago

There is -- you can expose a UNIX socket for serving credentials and allow access to it only from a whitelist of systemd services.

5 comments

otabdeveloper4

Reply
rcxdude  16 hours ago

They would still exist in plaintext, just the permissions would make it a little harder to access.

  • otabdeveloper4  12 hours ago

    No, UNIX sockets work over SSL too.

    You can, theoretically, decompile the system memory dump and try to mine the credentials out of the credential server's heap, but that exploit is exponentially more difficult to do that a simple `cat /proc/1234/environ`.

lemagedurage  13 hours ago

That works on a single persistent box, but unfortunately, that means giving up on autoscaling, which is not so nice for cloud applications.

  • otabdeveloper4  12 hours ago

    You can proxy the UNIX socket to a network server if you want to. You can even use SSL encryption at all times too.

    • lmz  12 hours ago

      Once it's networked you lose the "whitelist of systemd services" and it's then no different from any networked secret store.