Credentials shouldn't be around in plain text files. But I also don't want to set up a fully fledged credentials management solution for my homelab.
Wouldn't it be nice to dynamically load the credentials I need when I step into my work directory, and remove then when I leave it?
Let's use @bitwarden and direnv to keep credentials safe in all simplicity!
https://ergaster.org/posts/2025/07/28-direnv-bitwarden-integration/
@thibaultamartin @thibaultamartin Environment vars might not give you the security characteristics you expect. Example quote from the systemd docs: “Note that environment variables are not suitable for passing secrets (such as passwords, key material, …) to service processes. Environment variables set for a unit are exposed to unprivileged clients via D-Bus IPC, and generally not understood as being data that requires protection.
@v02460 thanks for the heads up! It's true I didn't make it obvious when writing my post, but this is all done on my admin machine (my laptop) when calling very short lived commands (tofu and ansible) to execute commands remotely, and not setting up the environment variables on the remote host.
Do you reckon this is still a problem in this configuration? That seemed to be a fairly standard way to do it when reading the opentofu docs
@thibaultamartin Moreover, environment variables are propagated down the process tree, including across security boundaries (such as setuid/setgid executables), and hence might leak to processes that should not have access to the secret data.”