How to Handle Secrets on the Command Line
How to Handle Secrets on the Command Line

How to Handle Secrets on the Command Line

Now, even for this one there’s a caveat. Have you ever run mysql this way? $ mysql --user carl --password amazingpw db.smallstep.com Or curl this way? $ curl -u carl:password https://example.com:3000 These commands accept passwords against their own better judgement, for convenience. But, immediately upon startup, they will overwrite argv with a blank value, effectively hiding the secret. If you run ps during the curl command shown here, you’ll see:

The alternative for curl is a credential file: A .netrc file can be used to store credentials for servers you need to connect to.

And for mysql, you can create option files: a .my.cnf or an obfuscated .mylogin.cnf will be read on startup and can contain your passwords.