Richard Bucker

safekeeper - go generate: substitute tokens with ENV variables

Posted at — Mar 1, 2015

Safekeeper┬áit’s a novel idea to prevent the need of putting secrets directly in your code which might be stored in your version control system and this exposing secrets. In response safekeeper uses go’s generate functionality to process a template and replace the various tokens with their production values.I like it but…It would be easy enough to do, however, I’m wrestling with the idea at the moment. (a) how secure is it really if the build pipeline needs to keep this information in the environment. At some point it needs to be stores so that it can be restored (b) Putting the credentials in the code makes the attack vector the program and not the environment. The application is going to leave echo of itself as it’s backed up, tested in staging and so on. (c) with the discovery services associated with tools like etcd this sort of thing might be delayed until actual runtime instead of at-rest.So for now I’m trying it with one of my projects (macroinator). I might implement my own version using go’s own template schema instead of their version. But that’s for another day.In conclusion I do not think it’s a solution for secure access.