Depends of the size of your setup. Most website are small, and their threat model don't require more than having the secrets in a systemd file env statement.
After all, if you have a single server, and the attacker can read a root protected file oe the spawned processes context, you are pwned already. As for exposing env var, popping os.environ is usually enough.
No need to pay for more than you must: bots and script kiddies are not mossad.
After all, if you have a single server, and the attacker can read a root protected file oe the spawned processes context, you are pwned already. As for exposing env var, popping os.environ is usually enough.
No need to pay for more than you must: bots and script kiddies are not mossad.