I’m working on a snap that will need encrypted files supplied as after the snap is installed, (e.g. the encrypted files are not part of the snap). Those encrypted files should be located in a keystore-path.
The snap runs a service, which needs a password + the files located in the keystore-path to start. The password lives in a password-file
I’m looking for some advice and/or examples on how to implement this within a snap context.
How to supply/make accessible the encrypted files in the keystore-path?
How to get a password into a password-filename accessible to the snap service - in a secure way? Possibly by some facility available in the snap world?
Any advice here is welcome.
Ideally, I would be able to use some facility to keep the password inside the “password-file” even safer. But that’s a bonus I guess.
In fact $HOME/snap/<snapname>/current is the snaps home, all snaps can access this via the $SNAP_USER_DATA variable and $HOME will by default point to this directory at runtime. current is a symlink to a versioned directory, so that if you roll back and forth your snap revision (using snap revert and snap refresh), your $HOME will always find the exact data for the particular version.
Equivalently $SNAP_USER_COMMON points to $HOME/snap/<snapname>/common which is unversioned and should hold payload data of your snap that you do not want duplicated by version.
/var/snap/<snapname>/current and /var/snap/<snapname>/common are the system level equivalents to this (but only root writable since they live in /var where normal users can not write) and can be accessed through the $SNAP_DATA and $SNAP_COMMON variables.