How to store temporary sensitive data in memory?

Question

I am building an automated workflow (using Saltstack) that delivers an encrypted password to a system that needs to be joined to a domain like this:

netdom join %computername% /domain:domain.com /UserD:user /PasswordD:passwrd

The encrypted password can be decrypted and fed into above line using another script. The difficulty is with the storage of this temporary encrypted password. So far, I can only think of two ways of doing this, neither of which is desirable:

1. RAMDISK - no built-in way to create one so there is a reliance on third party, no good
2. Environmental variables - persistent variables live in registry aka on disk so still no good

Any suggestions?

Answer 1

It sounds like this password should be stored in an encrypted pillar.

#!yaml|gpg

net_password: |
  -----BEGIN PGP MESSAGE-----
  hQEMAw2B674HRhwSAQgAhTrN8NizwUv/VunVrqa4/X8t6EUulrnhKcSeb8sZS4th
  W1Qz3K2NjL4lkUHCQHKZVx/VoZY7zsddBIFvvoGGfj8+2wjkEDwFmFjGE4DEsS74
  ZLRFIFJC1iB/O0AiQ+oU745skQkU6OEKxqavmKMrKo3rvJ8ZCXDC470+i2/Hqrp7
  +KWGmaDOO422JaSKRm5D9bQZr9oX7KqnrPG9I1+UbJyQSJdsdtquPWmeIpamEVHb
  VMDNQRjSezZ1yKC4kCWm3YQbBF76qTHzG1VlLF5qOzuGI9VkyvlMaLfMibriqY73
  zBbPzf6Bkp2+Y9qyzuveYMmwS4sEOuZL/PetqisWe9JGAWD/O+slQ2KRu9hNww06
  KMDPJRdyj5bRuBVE4hHkkP23KrYr7SuhW2vpe7O/MvWEJ9uDNegpMLhTWruGngJh
  iFndxegN9w==
  =bAuo
  -----END PGP MESSAGE-----

join domain:
  cmd.run:
    - name: netdom join %computername% '/PasswordD:{{ pillar["net_password"] }}' /domain:domain.com /UserD:user 

If you already have it set up in e.g. a Vault instance, you can use sdb to access it instead.