Get credentials from a file instead of the environment
Opened this issue · 0 comments
mguaypaq commented
It looks like systemd has a whole system in place for credentials. According to System and Service Credentials:
Within unit files, there are four settings to configure service credentials.
LoadCredential=
may be used to load a credential from disk, from anAF_UNIX
socket, or propagate them from a system credential.SetCredential=
may be used to set a credential to a literal string encoded in the unit file. Because unit files are world-readable (both on disk and via D-Bus), this should only be used for credentials that aren’t sensitive, i.e. public keys/certificates – but not private keys.LoadCredentialEncrypted=
is similar toLoadCredential=
but will load an encrypted credential, and decrypt it before passing it to the service. For details on credential encryption, see below.SetCredentialEncrypted=
is similar toSetCredential=
but expects an encrypted credential to be specified literally. UnlikeSetCredential=
it is thus safe to be used even for sensitive information, because even though unit files are world readable, the ciphertext included in them cannot be decoded unless access to TPM2/encryption key is available.
So, systemd wants to make credentials available as files, and currently bids-hook wants to accept credentials as environment variables. I guess I can change the environment variable to contain a path to the secret, rather than the secret itself, and that should be sufficiently flexible for manual testing and also for systemd-controlled execution.
Originally posted by @mguaypaq in #6 (comment)