Understanding how keystores or secrets manager work for software running on linux

[mozzy]

Many software platforms on Linux have a "Secrets" manager, like Ansible Vault, Hashicorp Vault Provider, Elasticsearch keystore etc... I'm trying to better understand if they offer the security I think it offers. Here's what I'm trying to understand:

Many softwares will let you create a .env with secrets in them them like SYSTEM_PASSWORD=some-pass-in-plain-text. Many developers don't like leaving secrets in the .env file in plain text, so they might use the software's keystore or secrets manager to store an encrypted version of the secret to the file system.

For example, if you're using Elasticsearch (pseudocode), you can use the command:

~/elasticsearch/bin/elasticsearch keystore add SYSTEM_PASSWORD

Then you will be prompted to type in the password.

This will create a file called ~/elasticsearch/keystore. If you open up the ~/elasticsearch/keystore file, it will be unintelligible gobbly goo.

When you start up your Elasticsearch with systemctl start elasticsearch, the ~/elasticsearch/keystore will be decrypted and SYSTEM_PASSWORD will be loaded into the Elasticsearch as a linux environment variable.

Does this mean that softwares like these that manage application secrets have some kind of secret (symmetric or asymmetric or etc...) key somewhere in the code base or on the file system to encrypt and decrypt the secrets in the keystore? And if an unauthorized person gained root access to the linux system, it's simple task to locate this secret key? And because it is so easy to locate this secret key, the difference between plain text secrets in a .env file vs. encrypted secrets in a ~/project-path/keystore is purely cosmetic?

 

[JavaJames]

According to This it looks like default encryption is linked to the logged-on user id