Stop Storing Secrets in Environment Variables

Or just overwrite the variables when you&#x27;re done with them. Hell, you can wipe out the entirety of your __environ when you&#x27;re done and it won&#x27;t show up in &#x2F;proc anymore. Sure, in docker world you can still see them with docker inspect but if someone has that level of access you&#x27;re done anyway.<p>Environment variables are no ones favorite method of associating data with processes, but they&#x27;re everyone&#x27;s favorite.<p>The kernel keyring and secret files are &quot;better&quot; but they have an impedance mismatch which is that they&#x27;re user&#x2F;uid oriented rather than process oriented.<p>Here&#x27;s an example in C. I&#x27;m a terrible C programmer but you get the picture. If you run this and then `ps eww` on the process it will be empty.<p><pre><code> #include &lt;stdio.h&gt; #include &lt;string.h&gt; #include &lt;unistd.h&gt; int main(int argc, char **argv, char **envp) { while (*envp) { printf(&quot;%s&quot;, *envp); int len = strlen(*envp); memset(*envp, 0, len); *envp++; } while (1) { sleep(10); } }</code></pre>

Is there any argument here besides &quot;because something with permission to read them might copy them to somewhere public&quot;? How does putting them in a tmpfs fix that?

Ultimately they must persist in memory to be useful. Beyond bootstrapping, sometimes API keys, etc must be read continuously. Env is as good a place as any if you need it continuously.<p>If you mount a tmpfs and copy it into the container env at runtime, is this much worse than mounting a secret object in the k8s Deployment&#x2F;pod definition in api server?<p>You could argue that the k8s API server wouldn’t learn it if it was runtime discovered, but this increases complexity. Are ephemeral secret mounts that much better than the built k8s secret objects? I would say no.

Or you could store them in your cloud provider’s secrets manager. aws.amazon.com&#x2F;secrets-manager cloud.google.com&#x2F;secret-manager