Secret Management for Linux VMs
This guide will show you how to provision an application running on a Linux virtual machine with the secrets it needs.
If your VMs run in the cloud, check out the cloud-specific guides instead that cover how to authenticate to SecretHub using cloud-native services, so you don’t have to deal with service credentials:
- AWS EC2
- GCP Compute Engine (coming soon)
- Azure Virtual Machines (coming soon)
Before you begin
Before you start using SecretHub on Linux VMs, make sure you have:
- Followed the Getting Started Guide
- Set up SSH access to a Linux test VM.
- Open a port on the test VM, so you can see the result.
Step 1: Create a service account
In this guide you’ll deploy the demo app from the getting started guide to a Linux VM.
The first step here is to create a service account for the demo app, using the
service init command.
It generates a new credential for the app to fetch and decrypt the secrets, which you can deploy to the VM using SSH:
secrethub service init your-username/demo \ --description demo-app \ --permission read \ | ssh user@host \ "mkdir .secrethub && cat > .secrethub/credential"
The SecretHub CLI will look for the credential at
Step 2: Install the CLI on the VM
With the service credential in place, the next step is to install the SecretHub CLI on the VM.
There are various installation methods available, so pick one that suits you best.
SSH into the VM and run your preferred install command.
If you’re on CentOS for example, you can use
yum install -y https://github.com/secrethub/secrethub-cli/releases/download/v0.37.0/secrethub-v0.37.0-linux-amd64.rpm
Step 3: Run the app
To provision the demo app with secrets, set secret references as environment variables and they’ll automatically get replaced with the secret values:
export DEMO_USERNAME=secrethub://your-username/demo/username export DEMO_PASSWORD=secrethub://your-username/demo/password
To load secrets into your app, wrap it in
secrethub run -- secrethub demo serve --host 0.0.0.0 --port 1234
Make sure to set the
--port flag to an open port on the machine.
Visit the webpage and see it in action!
There you have it, an app running on a Linux VM, provisioned with the secrets it needs. Check out the audit log, and you’ll see reads done by this service account being logged. If you want to rotate the secret, just write a new version to SecretHub and restart the apps that consume it. No config updates needed.