Re: Best practices for tokens/passwords that can't be versioned


Thanks Erik,
guess that could work to and seems cleaner than the env variables.

It still leaves the question how to move that content into a static file.
For example if in the end the recipe should install a file with "super
secret" as the content.

Example on the device at runtime:
cat /etc/config-passwords
super secret

The only idea that come to mind is to do something like in the recipe:

set_secrets() {
echo ${MYSECRETKEY} > ${IMAGE_ROOTFS}/etc/config-passwords

But that seems like a bad practice because it "globalizes" the recipe logic.
It's no longer a matter of that recipe but something applied to the
whole rootfs.

Be Well,

On Tue, Dec 11, 2018 at 1:09 PM Erik Botö <erik.boto@...> wrote:

On Tue, Dec 11, 2018 at 12:55 PM Alan Martinovic
<alan.martinovic@...> wrote:
Seems like conf/local.conf could also offer a solution given that it's
a temporary
thing (per build setup), but didn't yet figure out a good mechanism.
You could have a variable in the recipe and override that value in local.conf.

Let's say your recipe is called in which you add
something like this:

Then this could be assigned from local.conf using something like:
MYSECRETKEY_pn-myexample = "super secret"


Join to automatically receive all group messages.