How do you securely consume those secrets though - from everything I have seen with vault or consul you end up with the secret as a environmental variable that is then visible in ps listing.
Kubernetes for instance bind mounts secrets by default on read only in memory filesystems (and on Red Hat systems, with unique SELInux labels) that disappear on reboot. You can of course use secrets in env vars if you want, since sometimes it is easier. The hard part is a lot of handy public docker images use env by default, so you end up being tempted into env for convenience.
And does that Docker instance need a token to read the password out of key/value store somewhere? How then do you securely distribute the token? It seems like that would just be pushing the problem elsewhere.
Also I am assuming that something is preventing that tmpfs filesystem from swapping to disk?
The initial secret can be passed using the cubbyhole technique -- a time- and use- limited token that retrieves the actual token from a 'cubbyhole'.
The long-term secret can be accessed through the native clients for many PLs, which are basically just wrappers around the HTTP(S) API. The long-term secret is never exposed.
