Handling secrets (somewhat) securely in shells
4 months ago
- #secrets-management
- #shell-scripting
- #security
- Dealing with secrets in an interactive shell can lead to process information leakage, especially on Linux where command lines are visible via /proc.
- Using tools like `curl` with secrets in command lines exposes them to other processes; alternatives include writing headers to files or using process substitution.
- Shell history leakage is another risk; commands with secrets can be saved in history files, but using `read` or getting secrets from command outputs can mitigate this.
- Environment variables can leak secrets to child processes; using shell variables that aren't exported is safer for sensitive data.
- The article suggests a cautious approach to handling secrets, advocating for methods that avoid persistent storage and minimize exposure.
- The conclusion reflects on the trade-offs between security and convenience, suggesting a preference for languages with safer defaults for handling secrets.