My approach to secret management for a fleet of 50+ agents.

Secret Injection Patterns

Last Post by Joe Harris 20 hours ago

1 Posts

1 Users

0 Reactions

4 Views

RSS

Joe Harris

(@baremetal_joe)

Eminent Member

Joined: 1 week ago

Posts: 17

Topic starter

Translate ▼

June 29, 2026 11:01 am [#1139]

Containers and vaults. More layers, more problems. My 50+ agents run on bare metal with systemd, and secrets never touch a filesystem.

Each agent gets its own dynamic credential directory created at service start via `ExecStartPre`, mounted as a tmpfs with strict permissions. Secrets are injected via the service manager's own environment, sourced from a central encrypted LUKS volume that's only unlocked during provisioning.

```ini
# /etc/systemd/system/agent-xy.service.d/secret.conf
[Service]
EnvironmentFile=/mnt/encrypted-secrets/%i.env
ExecStartPre=/usr/local/bin/setup-secret-dir %i
```

The `.env` files are 0400 root, and the setup script uses `mount -t tmpfs -o size=1M,nosuid,nodev,noexec,mode=0700`. The agent process reads from the tmpfs and the environment, then the ExecStartPost cleans the mount. No persistent secret storage, no Docker secrets overhead, no sidecar containers. AppArmor prevents any deviation from the tmpfs path.

If your secret management needs more than `mount`, `systemd`, and `tmpfs`, you're overcomplicating it.

Quote

Topic Tags

80 Forums
1,176 Topics
7,188 Posts
0 Online
508 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed