~erin/web-canary#23: 
address user credential safety

#problem

we provide instructions and a script for the user to automatically create aws infrastructure. this includes the use of credstash, and storage of the same secret within it

to do this, the user must export a variable containing this secret to environment before executing setup.sh.

while we try to ensure that their shell history is turned off, that was only validated with bash, a single flavor of shell.

#solutions

  1. support gnu secrets service api
  2. improve readme to provide a warning about secret handling in their shell

#gnu secrets service

this is an option for securing handling the gandi api key before supporting infrastructure for such has been instantiated.

expand the gandi api key creation instructions to include a section on using keepassxc, and on enabling its secret service integration. the setup script could then use a cli interface to the service api to retrieve said credential.

caveats:

  1. this would introduce yet another dependency for initial setup of infrastructure, which i don't favor
  2. could be cool to support anyway for ancillary benefits outside of initial intended use e.g. being an alternative to credstash for local users, or app testing purposes

#user enducation

itd be simpler to merely warn the user about the risks of exposing their credential to their shell history, and link some page on how to temporarily disable this functionality for a variety of shells.

Status
REPORTED
Submitter
~erin
Assigned to
No-one
Submitted
3 years ago
Updated
3 years ago
Labels
enhancement toolchain