4 comments

[ 3.4 ms ] story [ 27.7 ms ] thread
I implemented a secrets manager using vim (which comes with blowfish file encryption support). We just pass the unlock key in from a secure location, such as our ci/cd pipeline, and then pass it to something like the following:

echo '1,$'|vim --cmd "set key=${__password}" ${__filename} -es|grep mysecret

Inside the file, you can do whatever programmatic syntax you want, because from here it's just shell pipelining.

I'd actually love to hear if this is a really bad idea.

I have implemented jackson as package. Your way of vim cannot be extended to application that keeps secrets in config file (say json). With this implementation we just need to write the env and pass it to jackson, then jackson will resolve it as runtime.