> Am 17.01.2024 um 13:50 schrieb Noury Bouraqadi <bouraq...@gmail.com>: > > Many cloud platforms provide a secrets manager. It sets up env variables with > secrets you need. > This is technically a good idea but legally probably bad. If you hand out cleartext credentials to your cloud provider you add that provider to the security chain. Would be interesting to read the terms & conditions for that. ;) Or there is something really clever going on. Do you have any pointers?
thanks, Norbert > Noury > > On Jan 17 2024, at 12:55 pm, Norbert Hartl <norb...@hartl.name> wrote: > > > Am 17.01.2024 um 12:31 schrieb Richard O'Keefe <rao...@gmail.com>: > > > > Back in the days when an entire department would share something like > > a VAX and think themselves > > lucky, the advance was never to let secrets *rest* in your address > > space any longer than you had to. > > Bring the secret into memory just the instant before you need it, use > > it, then scrub that area of > > memory. You might want to put the credentials on a thumb drive which > > is plugged in only when needed, > > the example is about cloud servers. So we can rule out thumb drives easily ;) > Scrubbing memory is only useful if you don’t need access at random which the > examples sounds like. > > > I've generally found it better for environment variables to contain > > file names pointing to configuration > > files than to have then hold the configuration information directly. > > If you use files you have just one more thing where you can screw up things > like file permissions. And the question is where does the file come from? > Especially if you use something like docker with ephemeral containers. > > Norbert > > > > > On Wed, 17 Jan 2024 at 22:31, Norbert Hartl <norb...@hartl.name> wrote: > >> > >> > >> > >>> Am 17.01.2024 um 05:27 schrieb sergio ruiz <sergio....@gmail.com>: > >>> > >>> Hi, all. > >>> > >>> One of my projects logs in to Spaces (Digital Ocean’s version of S3). I > >>> need to be able access the credentials, but I don’t want to store them in > >>> the source code, as I will be using Github to store the projects. > >>> > >>> Is there an accepted way to do this (encryption)? > >>> > >>> Should I store them on the system as environment variables? is this > >>> efficient? > >> > >> One of the usualy ways especially on unix systems is to hand credentials > >> in via the process environment. If you execute > >> > >> OSEnvironment current at: ‚SHELL' > >> > >> in a playground you should see somthing like ‚/bin/bash‘. So when starting > >> the process you just need to specify the environment variables so that > >> pharo can access it. If you use docker there is a way to specify that > >> easily. > >> > >> Norbert
