gluetun icon indicating copy to clipboard operation
gluetun copied to clipboard

Published 20 hours ago verified publisher icon qdm12

Feature request: Allow WIREGUARD_PRIVATE_KEY to be specified via a secret file

Open Sn0wCrack opened this issue 2 years ago • 4 comments

What's the feature? 🧐

Allow WIREGUARD_PRIVATE_KEY to be specified via a Docker Compose secret file.

Optional extra information 🚀

I usually like to do this so I can have any sensitive data I'd normally put in my docker-compose file in a permission controlled directory.

Sn0wCrack avatar Sep 12 '21 00:09 Sn0wCrack

Also WIREGUARD_PRESHARED_KEY and WIREGUARD_ADDRESS, I would think.

jathek avatar Sep 13 '21 09:09 jathek

  • WIREGUARD_PRIVATE_KEY yes
  • WIREGUARD_PRESHARED_KEY I guess so
  • WIREGUARD_ADDRESS meh not really, an attacker can't do much with it anyway right?

Also why do you guys see an interest in using files instead of env variables? Sensitive variables are unset at start once read in memory, so the only place they are vulnerable is in your e.g. docker-compose.yml... which is also a file. And for more advanced systems like K8s, I think you can specific a secret file to be plugged in as env variable 🤔 Just being curious! Thanks!

qdm12 avatar Sep 13 '21 15:09 qdm12

Also why do you guys see an interest in using files instead of env variables? Sensitive variables are unset at start once read in memory, so the only place they are vulnerable is in your e.g. docker-compose.yml... which is also a file. And for more advanced systems like K8s, I think you can specific a secret file to be plugged in as env variable 🤔 Just being curious! Thanks!

Honestly you're right, I could just separate out all of my variables into a separate environment file the same way the secrets files work on my system.

Sn0wCrack avatar Sep 14 '21 08:09 Sn0wCrack

Also why do you guys see an interest in using files instead of env variables? Sensitive variables are unset at start once read in memory, so the only place they are vulnerable is in your e.g. docker-compose.yml... which is also a file. And for more advanced systems like K8s, I think you can specific a secret file to be plugged in as env variable 🤔 Just being curious! Thanks!

Removing sensitive items from my default .env means other containers won't see the variables. I could use an .env specifically for gluetun, but having separate files also lets me write to a file from command-line easily and change the value without messing around with nano.

jathek avatar Sep 15 '21 04:09 jathek

See https://github.com/qdm12/gluetun/pull/1348#issuecomment-1646538214 I'll get to it soon.

qdm12 avatar Jul 22 '23 09:07 qdm12