Securely provide password for private key/PFX via Environment Variable #18277
Labels
Comments
|
Something like this was added for Wasm extensions recently, #15136 (#15136 (comment) for a relevant thread). I'm not sure how opinionated I would want to be about forcing the use of env vars for a feature, but it seems reasonable to support it as a data source to me. |
|
To be clear, I would not force the use of environment variable to hold the PFX password. I intend for the PFX support feature to accept all current methods for specifying password, but would like to also support environment variable as well. |
|
Yeah I think adding env as an additional data source seems reasonable to me. |
mattklein123
added
area/tls
help wanted
htuch
pushed a commit
that referenced
this issue
Oct 19, 2021
Add support to DataSource to read data from environment variables. Risk Level: Low Testing: Unit test for well-known environment variable, no environment variable, and empty environment variable. Docs Changes: N/A Release Notes: config: added environment_variable to the DataSource. Platform Specific Features: N/A Fixes #18277 Signed-off-by: Anthony Rossi <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am looking to add PFX support for certificates in the future, and the customer has a requirement that the password not be stored in the configuration file because they randomly generate it, and the PFX, at run time.
The existing methods for providing the password don't meet the customer's requirements of a random one-use password, and being generated at run time.
The preferred solution to this would be extending the DataSource API to include an environment variable field, in addition to the existing fields. It would read the environment variable data and store as bytes.
@envoyproxy/api-shepherds I'd appreciate your feedback on this, as I am proposing an API change.
The text was updated successfully, but these errors were encountered: