undefined | Better HN

0 pointsslt20211y ago0 comments

encrypted secrets are strictly an improvement over status quo of unencrypted secrets on disk - I dont understand why you make it seem like it is a bad idea?

like what is the alternative you propose? storing plaintext secrets on disk and hope that your runtime is secure and hardened enough and free from vulnerabilities??

as if directory traversal, path injection vulnerabilities, shell command injection, etc vulns that allow reading file from disk, don't exist?

0 comments

cyberax1y ago

> encrypted secrets are strictly an improvement over status quo of unencrypted secrets on disk

No. They are NOT. They are strictly worse than unencrypted data.

Unecrypted data is at least honest. Simply encrypting it and putting the key next to the data itself creates a dangerous illusion of security.

> like what is the alternative you propose? storing plaintext secrets on disk and hope that your runtime is secure and hardened enough and free from vulnerabilities??

Put secrets into your environment, don't store them on the disk.

If your code runs on AWS, then use AWS SSM or AWS Secrets Manager. If it's on Heroku, put secrets into the env vars. K8s has a secret manager. And so on.

j / k navigate · click thread line to collapse