| ▲ | londons_explore 3 hours ago | |
I could imagine perhaps some system which rather than denying access might instead replace the key material from your .env key with "** redacted. This key material can be used via make, but can never be exfoltrated directly **" whenever that key is seen heading out towards the network... | ||
| ▲ | brookst 2 hours ago | parent | next [-] | |
But that means the process can’t use the key for network requests, right? | ||
| ▲ | mcintyre1994 2 hours ago | parent | prev [-] | |
OnePassword can do something like this where you put references to a path there instead of the key material, and then you wrap the invoke command with their CLI and it replaces them. So your local env file never has anything sensitive. A malicious agent could still exfiltrate if you give it access to debug tools on the running code though. | ||