How do you manage secrets?
I previously relied on environmental variables, but I'm learning there are limitations with that practice
Discussion
a secrets.json/yaml/file format here
and listed in .gitignore
problem solved
anything else is unnecessarily complicated unless you have more than 2 servers and frequently changing secrets
i use an allow list pattern on my gitignores, this way only stuff i mean to be in there is caught, everything else gets ignored
https://github.com/mleku/realy/blob/dev/.gitignore
been using this since i had a colleague include a node_modules in our fiat mine project a year ago
this list will pretty much keep anything useful, just don't use .txt for secret files lol
Environment variables. Specify them in the systemd service file. What is the problem with them?
I don't have many secrets to be honest.
Wouldn’t the owner of the hardware have root access to them?
Definitely. If you want absolute secrecy you have to run your own (or trust Intel SGX but that's too complicated).
You can also precompile secrets inside the binary you deploy, the owner of the hardware still has access but it makes their lives harder. Or you can load the secrets from somewhere else on startup and keep them in memory, again they can still access but it's harder.