Including secrets in the compiled binary seems questionable still - using env variables or a config is the "standard" way for secrets, and although it adds another step before you can run, it avoids the case of sharing your binary with someone and forgetting that you had compiled in some secret that goes unnoticed. Unpacking a binary to find strings is pretty trivial.
Having the static frontend assets baked in along with a default config is a huge boon though.
You can include encrypted secrets and deploy the key out-of-band (eg just copy the private key with scp). This is much more secure than env variables which are prone to leakage. Our open source solution for this (cross-platform, cross-language): https://neosmart.net/blog/securestore-open-secrets-format/
It supports embedding the encrypted secrets in the binary or loading them from a file. The secrets would actually be stored (encrypted) alongside the code, even versioned in git.
ComputerGuru|2 years ago
It supports embedding the encrypted secrets in the binary or loading them from a file. The secrets would actually be stored (encrypted) alongside the code, even versioned in git.
Eg this is the rust version on GitHub: https://github.com/neosmart/securestore-rs/tree/master
chromatin|2 years ago