Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Do not read secrets from environment variables

> Secrets should only be accepted via credential files, pipes, AF_UNIX sockets, secret management services, or another IPC mechanism.

Which one of these is the most convenient and portable to use?

Do you use secret management services for work only, or do you use them in your personal projects too?



Hi, I'm one of the authors of CLI Guidelines.

See my post https://smallstep.com/blog/command-line-secrets/ for a bit more of a deep dive about using secrets on the command line.

Credential files are a good, simple, portable option. Files have permissions already. They don't depend on an external service or a proprietary API.

And, if your program accepts a credential file, it will be compatible with systemd credentials. systemd credentials offer more security than an unencrypted credential file. They are encrypted and can be TPM-bound, but they don't require the software using the credential to have native TPM support.


It's probably a good idea to check the permissions of that file, too, and emit a warning or exit with an error if the they're too permissive.


A good example that all of us have seen is ssh. It does not run if permissions on certs are incorrect.


But it definitely could improve its error messages in this case.


I like it when programs have a way to specify a command to retrieve secrets. mbsync (https://isync.sourceforge.io/mbsync.html) e.g. has afaik 3 options to provide a password for IMAP authentication: If you don't configure a password, you'll be prompted on execution. You can also put the plain text password in the configuration (impractical if you want to share your configuration). But there is also a configuration option to provide a command to retrieve the password. That way you can delegate the password handling to another program, e.g. a password manager like pass(1) (https://www.passwordstore.org/) or some interactive graphical prompt.


A secrets management service would be most convenient. Documentation makes them easy to set up without having to build anything extra yourself. A secrets manager like Doppler (https://Doppler.com) or AWS Secrets Manager (https://aws.amazon.com/secrets-manager/) has the advantage of protecting your secrets in a secure place and the advantage of minimizing exposure of those secrets - even to your own developers. That way, you don't end up with a data breach that could have easily been avoided. These types of leaks can cost companies everything and are becoming way more common.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: