Forum Discussion

Trusted Contributor

3 years ago

How to inject a secret into the environment via a systemd service definition?

I want to inject a secret (password) into the environment for a systemd service, using either Environment= or EnvironmentFile= . What I tried (and what failed): 1. Environment Environm...

CLI

Former Member

3 years ago

Hi XIII ! Another option is to write the secret into a private temp file and read it from there into your app. This is secure because systemd creates private temp files in a separate application-specific namespace. In fact by some accounts it's even more secure than environment variables, which can be queried pretty easily from other processes!

My suggestion would look like:

[Service]
ExecStartPre=/path/to/op read op://Vault/Item/password >/tmp/item
ExecStart=/some/app # reads file /tmp/item contents into memory as password
PrivateTmp=yes # Enforces creating /tmp/* in private namespace for the service

Forum Discussion

How to inject a secret into the environment via a systemd service definition?

Recent Discussions

Repeated errors using git on CLI, VSCode

Azure container app provisioning not working

SCIM - Hosting Redis Externally

GPG support? (like SSH)

Successful authentication locally, 403 when executed on server.