I'd like to be able to package up some redis EVAL scripts within a redis instance to give to a client. For lazy purposes, I'd like to be able to hardcode some sensitive information within the script (for decoding some keys).
So in theory, the client would just call EVALSHA on the prepackaged redis instance.
- Is there a way to prepackage the scripts through a command line (for use with Docker)
- Is there anyway the scripts can be recovered (and the sensitive information exposed)
Comment From: yossigo
@zcaudate there is no option of pre-packaging scripts as it contradicts the idea that script management is client responsibility and Redis has little guarantees there.
You may still run redis-cli locally after the process starts and prepopulate the scripts from some file. Currently there's no explicit way to retrieve scripts, but a replica (or any client that performs SYNC) will get them as part of the RDB stream.
Another alternative you may want to consider is a module - you can use it to implement anything Lua does. It is deployed as a compiled binary and is not shipped to clients/replicas/etc. This means secrets you maintain in it will be as protected as your OS permits (i.e. permissions to read the file, read process memory, etc.).
Comment From: zcaudate
@yossigo: thanks for clearing that up. I was thinking of using redis as a quick and dirty HSM and it might end up being okay for this particular use case. Just to be sure, if redis-cli is run to load the scripts within a docker file to build an image, will the built redis image will then contain the scripts preloaded on startup?
Comment From: yossigo
No, you'll need the scripts in the image and run redis-cli when the container starts, because normally Redis doesn't persist scripts in RDB files.
Comment From: zcaudate
@yossigo - got it. thanks for your help!