Many software platforms on Linux have a "Secrets" manager, like Ansible Vault, Hashicorp Vault Provider, Elasticsearch keystore etc... I'm trying to better understand if they offer the security I think it offers. Here's what I'm trying to understand:
Many softwares will let you create a
For example, if you're using Elasticsearch (pseudocode), you can use the command:
~/elasticsearch/bin/elasticsearch keystore add SYSTEM_PASSWORD
Then you will be prompted to type in the password.
This will create a file called
When you start up your Elasticsearch with
Does this mean that softwares like these that manage application secrets have some kind of secret (symmetric or asymmetric or etc...) key somewhere in the code base or on the file system to encrypt and decrypt the secrets in the keystore? And if an unauthorized person gained root access to the linux system, it's simple task to locate this secret key? And because it is so easy to locate this secret key, the difference between plain text secrets in a
Many softwares will let you create a
.env
with secrets in them them like SYSTEM_PASSWORD=some-pass-in-plain-text
. Many developers don't like leaving secrets in the .env
file in plain text, so they might use the software's keystore
or secrets manager
to store an encrypted version of the secret to the file system.For example, if you're using Elasticsearch (pseudocode), you can use the command:
~/elasticsearch/bin/elasticsearch keystore add SYSTEM_PASSWORD
Then you will be prompted to type in the password.
This will create a file called
~/elasticsearch/keystore
. If you open up the ~/elasticsearch/keystore
file, it will be unintelligible gobbly goo.When you start up your Elasticsearch with
systemctl start elasticsearch
, the ~/elasticsearch/keystore
will be decrypted and SYSTEM_PASSWORD
will be loaded into the Elasticsearch as a linux environment variable.Does this mean that softwares like these that manage application secrets have some kind of secret (symmetric or asymmetric or etc...) key somewhere in the code base or on the file system to encrypt and decrypt the secrets in the keystore? And if an unauthorized person gained root access to the linux system, it's simple task to locate this secret key? And because it is so easy to locate this secret key, the difference between plain text secrets in a
.env
file vs. encrypted secrets in a ~/project-path/keystore
is purely cosmetic?