Secret Key
While it is possible to use systemd credentials via
LoadCredential=xyz.radicle.node.secret:…
ExecStart=radicle-node … --secret "${CREDENTIALS_DIRECTORY}/xyz.radicle.node.secret"
Make usage more convenient and directly support passing the secret key via a systemd credential. The ID of the credential must be
xyz.radicle.node.secret
and is not user-configurable.
A systemd service unit file might contain:
LoadCredential=xyz.radicle.node.secret:…
ExecStart=radicle-node …
This requires just a bit of plumbing in radicle-node.
The preference order for the path of the secret key is:
- The command line argument
--secret. - The systemd credential.
- The configuration file.
- The default location to preserve backward compatibility.
The reason to prefer the systemd credential over the configuration file is that it uses a mechanism that is influenced by the environment of the process, which is deemed “closer at runtime” or “more dynamic” than a configuration file. Ad-hoc overrides are still possible via the commandline argument.
Passphrase
While it is possible to pass the passphrase via the environment, e.g.
EnvironmentFile=<path to file that contains "RAD_PASSPHRASE=…">
this is less secure than passing it via a file, because the environment
is inherited down the process tree.
Thus, allow using a systemd credential. The ID of the credential must be
xyz.radicle.node.passphrase
and is not user-configurable.
Passing the passphrase via file is now possible with
LoadCredential=xyz.radicle.node.passphrase:<path to file that contains passphrase>
This requires just a bit of plumbing in radicle-node.
Because this mechanism is more secure than using the environment
variable RAD_PASSPHRASE, it takes priority. That is, if both the
systemd credential is available, and the environment variable
RAD_PASSPHRASE is set, the former is preferred.
Heads-up:
- The contents of the file must be valid UTF-8 (see documentation of
std::fs::read_to_string). Assuming that the passphrase is at some point chosen by the user and typed on a keyboard, this does not seem like a severe restriction. - The contents of the file are not processed otherwise, i.e. line breaks (notably at the end of the file) are not stripped.
The related issue/8bd040e9de05e7fc27e373ebc1649ff4ad930e7a asked for a
very similar feature: Passing the passphrase via a file named by the
value of the of the environment variable RAD_PASSPHRASE_FILE.
It was also briefly discussed at
https://radicle.zulipchat.com/#narrow/channel/369277-heartwood/topic/.60RAD_PASSPHRASE_FILE.60/with/529104447.
Plumbing in radicle-systemd
Add mod credential with fn path which implements a simple lookup of
systemd credentials. See https://systemd.io/CREDENTIALS/
Secret Key
While it is possible to use systemd credentials via
LoadCredential=xyz.radicle.node.secret:…
ExecStart=radicle-node … --secret "${CREDENTIALS_DIRECTORY}/xyz.radicle.node.secret"
Make usage more convenient and directly support passing the secret key via a systemd credential. The ID of the credential must be
xyz.radicle.node.secret
and is not user-configurable.
A systemd service unit file might contain:
LoadCredential=xyz.radicle.node.secret:…
ExecStart=radicle-node …
This requires just a bit of plumbing in radicle-node.
The preference order for the path of the secret key is:
- The command line argument
--secret. - The systemd credential.
- The configuration file.
- The default location to preserve backward compatibility.
The reason to prefer the systemd credential over the configuration file is that it uses a mechanism that is influenced by the environment of the process, which is deemed “closer at runtime” or “more dynamic” than a configuration file. Ad-hoc overrides are still possible via the commandline argument.
Passphrase
While it is possible to pass the passphrase via the environment, e.g.
EnvironmentFile=<path to file that contains "RAD_PASSPHRASE=…">
this is less secure than passing it via a file, because the environment
is inherited down the process tree.
Thus, allow using a systemd credential. The ID of the credential must be
xyz.radicle.node.passphrase
and is not user-configurable.
Passing the passphrase via file is now possible with
LoadCredential=xyz.radicle.node.passphrase:<path to file that contains passphrase>
This requires just a bit of plumbing in radicle-node.
Because this mechanism is more secure than using the environment
variable RAD_PASSPHRASE, it takes priority. That is, if both the
systemd credential is available, and the environment variable
RAD_PASSPHRASE is set, the former is preferred.
Heads-up:
- The contents of the file must be valid UTF-8 (see documentation of
std::fs::read_to_string). Assuming that the passphrase is at some point chosen by the user and typed on a keyboard, this does not seem like a severe restriction. - The contents of the file are not processed otherwise, i.e. line breaks (notably at the end of the file) are not stripped.
The related issue/8bd040e9de05e7fc27e373ebc1649ff4ad930e7a asked for a
very similar feature: Passing the passphrase via a file named by the
value of the of the environment variable RAD_PASSPHRASE_FILE.
It was also briefly discussed at
https://radicle.zulipchat.com/#narrow/channel/369277-heartwood/topic/.60RAD_PASSPHRASE_FILE.60/with/529104447.
Plumbing in radicle-systemd
Add mod credential with fn path which implements a simple lookup of
systemd credentials. See https://systemd.io/CREDENTIALS/
Fix commit message
Improve commit messages
Fix a small clippy.
Add changelog entries.
Rebase