Storing application secrets safely on Linux
I have an linux application that needs to read a secret to decrypt some data. The application also allows the users to change the encryption password during runtime. The application will run under a separate user account and the secret is currently in a file owned by that user. I am trying to think of ways to improve this situation since the password is in plaintext in a file.
The application could be started as root and then drop privileges to the application user. This way the secret file can be owned by root but then the password change scenario breaks unless I am running another daemon as root.
I am basically looking to prevent the secret from being in plaintext on the disk, and without a human in the loop to bootstrap the encryption process, the best that can be done is to make it harder to get to the secret even if someone gets code execution.
Can anyone share any suggestions on how I can improve the current situation? Is keyctl something that is applicable here or is that normally just used to store kernel secrets?
Any suggestions will be appreciated!
