My wants:
- Secrets not visible by inspecting process env vars (/proc/PID/environ).
- No secrets on disk (encrypted is fine).
systemd does that, SetCredentialEncrypted= https://www.freedesktop.org/software/systemd/man/latest/syst...
Provide a TPM encrypted credential (made by systemd-cred) and it will be decrypted and placed in a memory backed file within a private namespace mount.
My wants:
- Secrets not visible by inspecting process env vars (/proc/PID/environ).
- No secrets on disk (encrypted is fine).