I prefer to pass secrets between programs through standard input
24 points by jmtd
24 points by jmtd
Even better is to generalise this and pass them on file descriptors greater than 2. That’s trickier to do, though, and few programs these days support it (‘better’ here means ‘more secure,’ not ‘more practical and usable’).
/dev/fd mechanism can be used. Unfortunately often the problem is that programs want a seekable file, instead of a pipe.
A better model is to not pass secrets. A nice capabilities-based model would be a dramatic improvement over "passing around the keys to the kingdom". Unfortunately, 50+ year old OS designs didn't incorporate that notion.
Or use a specification for secrets and integrate via SDK: https://devenv.sh/blog/2025/07/21/announcing-secretspec-declarative-secrets-management/
a secret passed in the environment can be found in the process's environment (which can usually be inspected by outside parties)
I thought you needed root to do this. On my system, I am unable to read /proc/<pid>/environ for processes I do not own. If I have root, obviously all is lost, but I want to point out I can strace your programs and see the standard input/output. Or look at your memory. Or probably a variety of other methods. To be fair, it's harder to catch a one-time read/write transaction than it is an environment that will be there for the process's lifetime, but the "increase" in security level here feels hand-wavy.
Any other process executing under the same user can read the environment for the other processes. I'm not sure if that is an additional hurdle if you're already have user privilleges.