$CSE_CONFIG_PASSWORD not encrypted

[sbernervmware]

When using CSE with encrypted config files as a service, you need to set the environment variable CSE_CONFIG_PASSWOD but this has to be clear text and it is not possible to encrypt. To ensure security it should be encrypted.

[rocknes]

Hi,

We can expose the CSE_CONFIG_PASSWORD environment variable from cse.sh via the EnvironmentFile directive. This is documented in cse.sh

### CSE config file should be encrypted for security (using `cse encrypt` command)
### Encryption password should be stored in the environment variable `CSE_CONFIG_PASSWORD`
### Environment variable can be declared 2 ways:
### (1) Plaintext in this script
# export CSE_CONFIG_PASSWORD=mypassword
### (2) Create a file to store the environment variable. The file should contain the line: `CSE_CONFIG_PASSWORD=mypassword`
### Add `EnvironmentFile=/path/to/file` under `[Service]` in `cse.service`
### Note: If `EnvironmentFile=/path/to/file` exists under `[Service]` in `cse.service` but the file does not exist, CSE will fail to start

By using the EnviromentFile directive, you don't end up exposing the password outside the process where you are running cse as a service.

Encrypting the password itself is a chicken and egg problem. No matter how many layers of indirection you add, you will need a plaintext password at some point to start decrypting. In my opinion EnvironmentFile directive is a pretty standard way of loading sensitive info into environment variable without really leaking it out to everyone.

Regards Aritra Sen