Post · bonfire.cafe

Credentials shouldn't be around in plain text files. But I also don't want to set up a fully fledged credentials management solution for my homelab.

Wouldn't it be nice to dynamically load the credentials I need when I step into my work directory, and remove then when I leave it?

Let's use @bitwarden and direnv to keep credentials safe in all simplicity!

https://ergaster.org/posts/2025/07/28-direnv-bitwarden-integration/

#homelab #security #sysadmin

Kevin P. Fleming

@kevin@mastodon.km6g.us replied · 2 days ago

@thibaultamartin Thanks for this! I'm using it to replace a hacky script I built for extracting an Ansible Vault secret from Vaultwarden (using the 'bw' CLI tool as your script does).

One small note: the script in your blog post sets a local 'password_names' variable but then doesn't appear to use it.

James Wells

@nikatjef@mastodon.acm.org replied · 3 days ago

@thibaultamartin
Last year I built a 3 node Proxmox cluster and used Hashicorp's Vault for secrets management, but that solution looks great as well.

@bitwarden

Thib

@thibaultamartin@mamot.fr replied · 3 days ago

@nikatjef @bitwarden one of my constraints is “I want to be able to redeploy everything if both my laptop and server get stolen or fail at the same time” but I definitely want to look into OpenBao at some point :)

James Wells

@nikatjef@mastodon.acm.org replied · 3 days ago

@thibaultamartin
Thanks for the pointer to OpenBao... Was not aware of it, but will look into a Vault replacement. :)

@bitwarden

James Wells

@nikatjef@mastodon.acm.org replied · 3 days ago

@thibaultamartin
For that, I had a non-voting Vault member out on a free Oracle cloud server that was my Vault backup and well as a Ceph member for recording VM / LXC container details.

I also used Terraform and Ansible (backed by Github) to manage all my VMs / LXC containers.

@bitwarden

Sheogorath

@sheogorath@microblog.shivering-isles.com replied · 3 days ago

@thibaultamartin There is also secret-tool, which allows you to just use your desktop keyring ;)

This way you safe yourself entering any master passwords, since this is all done by logging in.

https://grahamwatts.co.uk/gnome-secrets/#retrieving-secrets-with-secret-tool

Thib

@thibaultamartin@mamot.fr replied · 3 days ago

@sheogorath great reco! I’m not using a Linux based admin machine at the moment, but I’ll keep that in mind :)

V02460

@v02460@social.librem.one replied · last week

@thibaultamartin @thibaultamartin Environment vars might not give you the security characteristics you expect. Example quote from the systemd docs: “Note that environment variables are not suitable for passing secrets (such as passwords, key material, …) to service processes. Environment variables set for a unit are exposed to unprivileged clients via D-Bus IPC, and generally not understood as being data that requires protection.

V02460

@v02460@social.librem.one replied · last week

@thibaultamartin Moreover, environment variables are propagated down the process tree, including across security boundaries (such as setuid/setgid executables), and hence might leak to processes that should not have access to the secret data.”

QuadRadical

@QuadRadical@wetdry.world replied · last week

@thibaultamartin @bitwarden Hmm, that's very cool, but I do wonder how it could be used in production? The login command right now requires user input right?