Launch a process with secrets as environment variables
I have a process that needs secret keys to be passed as environment variables. That is for historical reasons.
I have a AWS machine where this process runs but I do not want to store these keys in files or scripts on the cloud.
What is the industry standard process for this situation? Do folks typically store the secret files under a username, lock it with standard unix file/user permissions, and hope for the best?
I thought about to somehow keep those secrets on a secure machine remotely and then start processes on the remote machine with the provided keys, passing them through ssh. For that I'd have to customize /etc/sshd/config to allow some of these environment variables to be passed in the environment. Is this safer?
Alternatively, I thought about starting these processes with crontab but then reach back home for the secrets.
As a third option I thought about storing these files as gpg encrypted files to be decrypted through ssh.
Am I being too stringent on my requirements?
Thank you,
