Przejdลบ do treล›ci

๐Ÿง  Secure Handling of Secrets

Shell scripts frequently work with sensitive data such as passwords, API tokens, SSH keys, and access credentials. However, the shell environment is inherently insecure: variables leak, commands appear in process lists, and logs may expose secrets. This module explains how to handle secrets safely in POSIXโ€‘compatible scripts.

๐ŸŽ“ Who This Is For

  • DevOps/SRE engineers managing CI/CD pipelines
  • Developers writing automation that interacts with APIs or cloud services
  • Sysadmins handling credentials, tokens, or private keys
  • Anyone needing to avoid accidental secret leakage in shell scripts

๐Ÿงฉ Role in the Ecosystem

Secrets appear in many contexts:

  • API tokens
  • Passwords
  • SSH keys
  • Cloud credentials
  • Database connection strings
  • OAuth/JWT tokens

Shell scripts often orchestrate tools that require these secrets, but the shell itself provides no builtโ€‘in secure storage. Safe handling requires defensive practices and external tools.

๐Ÿงฉ Key Concepts

1. Shell Environments Are Not Secure

Environment variables leak through:

  • ps aux
  • /proc/$PID/environ
  • debug tracing (set -x)
  • CI/CD logs
  • crash dumps
  • history files

2. Arguments Are Visible

Passing secrets as CLI arguments is unsafe:

1
curl -H "Authorization: Bearer SECRET"   # visible in ps

3. Stdout vs Stderr

Secrets printed to stdout may be captured by pipelines or logs.

4. Filesystem Exposure

Secrets stored in plain text files are readable by other users unless permissions are restricted.

๐Ÿ”ง Techniques

Read Secrets Without Echoing

1
read -r -s TOKEN

Pass Secrets via Stdin

1
printf '%s' "$TOKEN" | command --token-from-stdin

Use Environment Files with Restricted Permissions

1
chmod 600 .env

Use External Secret Stores

  • pass (GPGโ€‘based)
  • gpg encrypted files
  • age encrypted files
  • sops (YAML/JSON secrets)
  • cloud secret managers (AWS/GCP/Azure)

Avoid Logging Secrets

Disable tracing around sensitive code:

1
2
3
set +x
TOKEN="$(cat token.txt)"
set -x

Use Temporary Files Safely

1
2
TMPFILE="$(mktemp)"
chmod 600 "$TMPFILE"

Clear Variables After Use

1
unset TOKEN

โš ๏ธ Limitations & Pitfalls

  • Environment variables are visible to other processes
  • CLI arguments leak through ps
  • set -x exposes secrets in logs
  • CI/CD systems often log environment variables
  • Shell history may capture commands containing secrets
  • Temporary files may persist after crashes
  • /proc exposes process environments

๐Ÿง  When to Use These Techniques

  • Passing API tokens to CLI tools
  • Running scripts in CI/CD pipelines
  • Handling credentials for cloud services
  • Managing SSH keys or encrypted files
  • Automating deployments or provisioning

โŒ When Not to Use Shell for Secrets

  • Longโ€‘term secret storage
  • Highโ€‘security environments
  • Multiโ€‘user systems without isolation
  • Handling large or complex secret structures
  • Applications requiring cryptographic operations

Use a real secret manager or a higherโ€‘level language.

โœ… Best Practices

  • Never pass secrets as CLI arguments
  • Never store secrets in shell history
  • Never print secrets to stdout
  • Use read -s for interactive input
  • Use stdin instead of arguments
  • Use external secret stores
  • Restrict file permissions (chmod 600)
  • Disable tracing around sensitive operations
  • Clear variables after use
  • Avoid exporting secrets unless necessary

๐Ÿงช Testing Secret Safety

Check for leaks:

1
ps aux | grep token

Check environment exposure:

1
tr '\0' '\n' </proc/$$/environ

Check history:

1
history | grep token

Test safe input:

1
read -s PASSWORD

๐Ÿง  Summary

Shell scripts are not inherently secure, but careful handling of secrets can minimize risk. Avoid passing secrets via arguments, avoid logging them, use stdin or external secret stores, and restrict file permissions. These practices ensure that automation remains safe, predictable, and productionโ€‘ready.