← Back to team overview

cloud-init team mailing list archive

Best practices for sensitive data handling

 

I couldn't find any documentation nor discussions on the web about this
aspect
of cloud-init, so I'm trying the mailing list.

My use case for cloud-init includes hitting my domain registrar's API to
update a
DNS record so that a certain domain points to the IP of the server that is
provisioning itself.
Doing this involves embedding a secret API key in the user-data file.

Problem is, after bootstrapping I can find this secret scattered in several
places around the server, at /run/cloud-init and /var/lib/cloud.
/run/cloud-init/instance-data.json is particularly vexing because
it's a world readable file.

So I'd like to hear your opinion on what's a good approach to sensitive data
handling. I couldn't come up with any way to securely embed sensitive data
into the template itself, only do a post-install cleanup.
After completing the bootstrap I'm rebooting the server and then
uninstalling
cloud-init and manually removing /run/cloud-init and /var/lib/cloud.

Are there better ways to go about this?

Follow ups