azorius.aria.company

Secrets
from Dust0741@lemmy.world to selfhosted@lemmy.world on 15 Apr 20:41
https://lemmy.world/post/28274080

I would like to migrate away from using .env for secrets, and use something hashicorp vault. How would one do this for something like pihole, where there is an env var with the password?

#selfhosted

threaded - newest

ryokimball@infosec.pub on 15 Apr 20:48 next collapse

github.com/hashicorp/envconsul

remotelove@lemmy.ca on 15 Apr 21:05 next collapse

I would look into something like Doppler instead of Vault. (I don’t trust any company acquired by IBM. They have been aquiring and enshittifying companies before there was even a name for it.)

Look into how any different solutions need their keys presented. Dumping the creds in ENV is generally fine since the keys will need to be stored and used somehow. You might need a dedicated user account to manage keys in its home folder.

This is actually a host security problem, not generally a key storage problem per se. Regardless of how you have a vault setup, my approach here is to create a single host that acts as a gateway for the rest of the credentials. (This applies to if keys are stored in “the cloud” or in a local database somewhere.)

Since you are going to using a Pi, you should focus on that being a restricted host: Only run your chosen vault solution on it. Period. Secure and patch it to the best of your ability and use very specific host firewall rules for minimum connectivity. Ie: Have one user for ssh in and limit another user account to managing vault, preferably without needing any kind of elevated access. This is actually a perfect use case for SELinux since you can put in some decent restrictions on the host for a single app (and it’s supporting apps…)

If you are paranoid enough to run a HIDS, you can turn on all the events for any type of root account actions. In theory once the host is configured, you shouldn’t need root again until you start performing patches.

folekaule@lemmy.world on 15 Apr 21:15 next collapse

See if a light weight kubernetes installation is for you. Secrets are first class citizens in k8s. You can maintain secrets in a number of different ways, but they are exposed to containers the same way. They can become files or environment variables, whether you need.

I recommend looking at k3s to run on your Pi and see if that works for you. You can add vault software on top of that later without changing your containers.

slazer2au@lemmy.world on 15 Apr 21:16 collapse

What I have seen people do in the past is use ansible secrets to secure the env file.

So only when the playbook is running does the env get decrypted.

Digital Ocean has an extensive how to on it.

digitalocean.com/…/how-to-use-vault-to-protect-se…