GitGuardian [Secrets At The Command Line - 2022]
credentials in files and I n the terminal
Plaintext
Credentials
Never enter or store
passwords, API Keys or any
other secrets in plaintext

E nvironmental V ariables
do not store in
the cloud
Environmental Variables should
only ever be stored locall
Do not use in shared or cloud
environments
CREDEN T IA L F I L ES
DO NOT SHARE
Do not store in a Version Control
Syste
Do not share credential files
directory and only accessible
process status
`ps` utility providing information on all running processe
Any values entered through the command line are stored in a globally readable file
/proc/<pid>/cmdline
H IS TO R Y
DO NOT enter plaintext
Any plaintext secrets entered
into your shell are stored in your
terminal’s history
Easily accessible to anyone with
shared environment access
Use A Vault PIPES
Use a vault like Hashicorp Vault to
securely store credential
Programatically retreive secrets from a
password manager to prevent secret AVOID/DEV/STDIN TRANSPORT SAFELY
leakage Avoid reading from /dev/stdin, Pipes are temporary
read from as close to the data communication channels
source as possibl between processes
Programatically retreive Overall secure, as they only exist
secrets from a password in memory during the data
manager to prevent secret transfer
leakage
SCOPE AND ROTATE
Ensure they are have a limited
scop
Rotate any keys stored this
way often
S O PS
Free and open source tool from Mozilla allowing you to edit encoded files without needing
to unencrypt them


Read more about SOPS in our comprehensive guide: 

https://blog.gitguardian.com/a-comprehensive-guide-to-sops/
store safely
Set permissions for each fil
Ensure they are in your home
by you
LO CA L F I L E S Y S T E M ENCR Y P T I O N
Encrypt your data at rest with tools like LUSK based Linux tools, VeraCrypt or FireVault
use shellclear
Shellclear is a free and open
source tool to find secrets in your
Bash history
Shellclear can help you easily
remove any secrets from your
history