Mastodon Systeemkabouter.nl – Using RAM disk to store unencrypted secrets

Using RAM disk to store unencrypted secrets

Posted on vr 03 december 2021 in desktop

During my day I have secrets that I use a lot. Best example would be the ansible vault password for a particular environment to run a playbook or the password to access a API I use a lot.

On my mac I added a small bit of code to my .bashrc:

  if [[ ! -d /Volumes/RAM_disk ]];
  then
    diskutil erasevolume HFS+ 'RAM_disk' `hdiutil attach -nobrowse -nomount ram://2097152` >/dev/null
    alias unlock="ansible-playbook .ramdisk/ramdisk_files.yml --ask-vault-pass --extra-vars=@.ramdisk/secrets.yml"
  fi 

This creates a 1 GB RAM disk at /Volumes/RAM_disk when it doesn't exist and sets up a easy alias to trigger decrypting the secrets in the ansible playbook to file on the RAM disk.

For Linux, it could look something like this:

if [[ ! -d /Volumes/RAM_disk ]];
then
  mkdir -p /Volumes/RAM_disk
  sudo mount -t tmpfs -o size=1024m RAM_disk /Volumes/RAM_disk
  alias unlock="ansible-playbook .ramdisk/ramdisk_files.yml --ask-vault-pass --extra-vars=@.ramdisk/secrets.yml"
fi

The playbook looks something like this:

- name: "Setup ram disk contents"
  hosts: localhost
  gather_facts: false
  tasks: 
    - name: "Setup blabla secret"
      copy:
        dest: "/Volumes/RAM_disk/blabla_secret"
        content: "blabla_secret: {{  blabla_secret }}\n"
        mode: 0400

And the secrets.yml contains ansible-vault encrypted strings

now all I do when the RAM disk is empty, is type 'unlock' and enter the password used to encrypt my other passwords.

To get rid of the plain text passwords in RAM, I eject the RAM disk:

hdiutil detach /Volmues/RAM_disk

or in linux:

sudo umount /Volumes/RAM_disk

(or just shut off the computer)

References:

  • RAM disk in Macos: https://gist.github.com/htr3n/344f06ba2bb20b1056d7d5570fe7f596
  • RAM disk in Linux: https://www.linuxbabe.com/command-line/create-ramdisk-linux