Environment variables are a legacy mess: Let's dive deep into them

[bbkane]

Any good cross-platform and easy ways to share secrets without using environment variables?

[matthew16550]

SOPS can be part of the solution. It takes care of encrypting and decrypting config files.

https://github.com/getsops/sops

[zdc1]

Point to a file? E.g. `CONFIG_PATH=/etc/myapp/config.ini /opt/myapp`

That being said, I still use env vars and don't plan on stopping. I just haven't (yet?) seen any exploits or threat models relating to it that would keep me up at night.

[bbkane]

Is that file more secure than the environment variables it's replacing? On Linux I think you can secure it to just your service with SELinux. Not sure about Windows

[maccard]

How do you get that file?

I also use env vars.

[yencabulator]

For example, systemd or kubernetes.

https://systemd.io/CREDENTIALS/

https://kubernetes.io/docs/concepts/configuration/secret/#us...

(Systemd also has more complex modes that are safer than files. And the Linux kernel has a concept of keyrings that might be even better.)