Hey @bvetter, for my own projects I store credentials as environment variables in balenaCloud. Similar to what you do, I usually encode the credentials / key in Base64 to handle line breaks.
Where and how to store credentials are definitely frequently asked questions. You could see my teammates discussing these in several forum posts like:
You could look into encrypting the credentials before storing them as environment variables. Then the application decrypts into memory at runtime. In any case, you need to have physical security to device access. Else, the physical attackers with access to your device could still retrieve the decryption key.
Couple of balena users expressed their satisfaction with using a 3rd party solution like Vault. You start an application with a short-lived token in the environment to allow it to go to vault and get whatever secrets it needs. Later attackers reading the environment variable (either by spawning a shell in the container, or with docker inspect on the host) only get an expired token, and they would have to pull secrets from the memory of the running process inside the container, which is a fair bit harder.
I know couple of my teammates have been discussing potential improvements here to reduce friction. I’m going to raise your interest in our internal systems – in order to create more visibility on these asks and also to message you once we possibly release new features on this topic.