Linux - securing environment variables

Question

Just wondering if there is any way to secure the environment variables in a *nix system such that they can not be read from any plain text file, but is available in the environment.

I know we can always use filesystem level permissions for .bashrc/.bash_profile, but what if certain variables (like db passwords) are to be hidden completely?

One way to do would be to write some sort of program/perl script to:

Take inputs from a plain text file and encrypt/hash the content (and then get rid of the plain text file)
Use the same to decrypt the file runtime and export the values from the decrypted output (I know this program can be used to dump the decrypted values somewhere, but I am not concerned about that right now)

Is there any other better and more obvious way to achieve this?

Thanks!

-Gaurav

Relevant: [`stackoverflow`: Set an environment variable (password) in a way its value is not saved to the bash history](https://stackoverflow.com/questions/56856579/) — toraritte, Mar 27 '23 at 19:24
Another good thread: [`unix&linux`: Is it safe to export a variable containing a password, then resetting it?](https://unix.stackexchange.com/questions/345009/is-it-safe-to-export-a-variable-containing-a-password-then-resetting-it) — toraritte, Mar 28 '23 at 13:23

score 7 · Answer 1 · answered Nov 09 '10 at 01:19

7

No way. Even if you hide it from text file, it is still available from /proc/<pid>/environ (linux) or ps e (other unix).

answered Nov 09 '10 at 01:19

J-16 SDiZ

26,473
4
65
84

3

This is not strictly true -- the `environ` file is not visible to other non-root users on modern kernel releases. – Charles Duffy Apr 16 '13 at 14:59
The point is that it is secure to user that defined the environment variables. Only root, and the owner of the process that defined the environment variables have access to `/proc/$pid/environ`. However, there might be also cases where you want it from the user itself - a key-store might choose to transmit the password/login to another application over environment variables. The user might be able to figure out passwords through this method. I had a similar question here: http://unix.stackexchange.com/a/206219/117221 – YoYo May 31 '15 at 17:27
2

Can you just unset the variable after you're done using it? Will it still show up in `/proc//environ`? – richizy Jan 24 '18 at 18:37

score 3 · Answer 2 · answered Nov 09 '10 at 01:18

Who are you securing them from?

The short answer is "No". The user can see their own environment variables unless you bottle them up so thoroughly that they can never access the shell. But which editor do you let them use? Did you say 'vim'? Oh, they've got access to the shell, after all.

Jonathan · Answer 3 · 2010-11-09T17:06:37.163

It is sort-of possible, but very indirect. You would need to save the sensitive data into a file readable only by the process that starts the process that needs it in an environment variable. /proc/###/environ is only readable by the user as whom a process is running, so the data is safe there.

But, more directly, the proper method for hiding stuff like database passwords is to save them in a file readable only by the user and/or group that the program reading them runs as. Don't bother passing them in an environment variable (unless you really need to for some reason), just have the process read them from the file.

For example, if you are running a web site and the CGI scripts/binaries are started by Apache, which runs as user:group apache:apache, save the database password that the CGI needs into a file owned by apache:apache with permissions like rw-r----- (640). That way, for somebody to read the file, he needs to either be root, a member of the apache group, or running the read program with an effective user or group of apache.

The only benefit to using environment variables is that you can remove them from the environment before starting a sub-process, whereas if the sub-process is to be owned by the same user, it can read the secured file.

Michael · Answer 4 · 2022-05-26T14:40:10.303

It's not so hard to do. Just put you encrypted password in the file and replace cat file (see below) with whatever program you're using to decrypt it. cat file | decoding software

Those are backtick quotes btw near the tab/esc key. They're used to substitute the output of the command in the area in which they're used.

$ touch file
$ echo "MySecret" > file
$ cat file
MySecret
$ export SECRET=`cat file`
$ echo $SECRET
MySecret

I'm sure a lot of people wonder about this are ones using docker possibly with portainer which posts this sensitive information on screen in the clear, and simply want it hidden from view.

Note: There are other more elaborate methods too.

There's also third party software that do a similar job. https://www.vaultproject.io/ there are others.

Personally I'd rather use use native bash scripting. Naturally you can do something like storing one key on a server and another locally for double security if you wanted.

Code your own authentication server.

Store your variable on a private github repo and use the backticks to read it using git, etc etc.

Code your own Zero Knowledge Proof. Your imagination is the limiting factor.

Linux - securing environment variables

4 Answers4

Linked