upvote

points

by bauruine6 hours ago |
comments
upvoteby trick-or-treat5 hours ago|
next
[-]
Yeah that's a good point. Dotenvx seems to claim a solution but I'm not smart enough to make sense of it.

However I do feel now like my sensitive things are better off deployed on a VPS where someone would need a ssh exploit to come at me.

reply
upvoteby TheDong5 hours ago|
parent|
[-]
dotenvx is a way to encrypt your secrets at rest. It's kinda like sops but not as good. https://getsops.io/

Notice how their tutorial says "run 'dotenvx run -- yourapp'". If you did 'dotenvx run -- env', all your secrets would be printed right there in plaintext, at runtime, since they're just encrypted at rest.

The equivalent in vercel would be encrypted in the database (the encrypted '.env' file), with a decryption key in the backend (the '.env.keys' file by default in dotenvx) used to show them in the frontend and decrypt them for running apps.

reply
upvoteby ErroneousBosh3 hours ago|
prev|
next
[-]
Exactly. How do you play back the encrypted DVD without having the decryption key right there on the player for everyone to find?
reply
upvoteby cyanydeez1 hours ago|
parent|
[-]
Keepass has an option to "encrypt in memory" certain passwords, sensitive information.

The point of encryption is often times about what other software or hardware attacks are minimized or eliminated.

However, if someone figures out access to a running system, theres really no way to both allow an app to run and keep everything encrypted. It certainly is possible, like the way keepass encrypts items in memory, but if an attacker has root on a server, they just wait for it to be accessed if not outright find the key that encrypted it.

This is to say, 99.9% of the apps and these platforms arn't secure against this type of low level intrusion.

reply
upvoteby 5 hours ago|
prev|
next
[-]
deleted
reply
upvoteby cuki2882 hours ago|
prev|
[-]
[dead]
reply