Services-bound lifetimes are an implementation proposed by secrix
They seem like a great security upgrade;
From their README:
bind secrets to systemd services to ensure that their lifetime is only as long as the service itself. As well, it allows for system secrets, which are by default bound to the lifetime of the system. All secrets are stored in virtual memory and do not end up on disk.
Creating a service secret is as easy as secrix.services..secrets..encrypted.file. Its final location will end up in secrix.services..secrets..decrypted.path. System secrets are defined as secrix.system.secrets, with the same pattern as service secrets, minus the service.
Looking at the secrix source code, it seems to achieves this using some Systemd features:
BindsTo= / PartOf= which creates a hard dependency between them (eg, if the main service stops, the secrets helper service also stops)
RuntimeDirectory= which tells systemd to create a directory in /run (tmpfs) specifically for this unit and delete it automatically when the unit stops
Before= to make sure it takes precedence over the application service
Services-bound lifetimes are an implementation proposed by secrix
They seem like a great security upgrade;
From their README:
Looking at the secrix source code, it seems to achieves this using some Systemd features:
BindsTo=/PartOf=which creates a hard dependency between them (eg, if the main service stops, the secrets helper service also stops)RuntimeDirectory=which tells systemd to create a directory in/run(tmpfs) specifically for this unit and delete it automatically when the unit stopsBefore=to make sure it takes precedence over the application service