Storing the superadmin password
It is possible to pass the superadmin password by way of an environment variable, so that
radkit-service run and other subcommands will not interactively ask for the password.
Note that the information on this page only applies to RADKit Service, not to RADKit Control.
RADKIT_SERVICE_SUPERADMIN_PASSWORD_FILE
Takes the password from a file referenced by the environment variable.
Note
Since 1.6.5, if the superadmin password is modified (through the WebUI, API, or
via RADKit Control), the file referenced by RADKIT_SERVICE_SUPERADMIN_PASSWORD_FILE
will be automatically updated with the new password, as long as the file is writable by
the Service process. On older versions, or if the file is read-only, it must be updated
via other means.
Example (on Linux or macOS):
$ touch superadmin-password
$ chmod 600 superadmin-password
$ echo -n 'MyPassW0rd' > superadmin-password
$ export RADKIT_SERVICE_SUPERADMIN_PASSWORD_FILE="$PWD/superadmin-password"
Warning
Make sure to protect the superadmin password file so that it cannot be read by anyone except the
radkit-service owner and root. Also, the password may still be visible in the shell
history file (e.g. .bash_history) if you type it on the command line while creating the file.
CREDENTIALS_DIRECTORY
DEPRECATED since 1.7.0. This method was originally used in systemd deployment scenarios
but it did not allow updating the password in the file when changed through the WebUI.
You should now use the Linux installer system-wide installation method to deploy RADKit Service
as a systemd service (see Linux installer); it relies on
RADKIT_SERVICE_SUPERADMIN_PASSWORD_FILE which is documented above.
RADKIT_SERVICE_SUPERADMIN_PASSWORD_BASE64
Takes the password directly from the environment variable, encoded in Base64.
Example (on Linux or macOS):
$ export RADKIT_SERVICE_SUPERADMIN_PASSWORD_BASE64="$( echo -n 'MyPassW0rd' | base64 )"
Example (on Windows using PowerShell):
C:\>$env:RADKIT_SERVICE_SUPERADMIN_PASSWORD_BASE64 = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("MyPassW0rd"))
Danger
Storing a password in an environment variable is inherently insecure and is not recommended in any way, especially if the password unlocks credentials that grant access to a production environment. The Base64 encoding only protects against the most trivial over-the-shoulder password gleaning attacks. It does not provide any actual security. Use this authentication method at your own risk, preferably in a controlled and secure environment.
Note
This method will NOT save the password if you change it from the WebUI.
We recommend RADKIT_SERVICE_SUPERADMIN_PASSWORD_FILE instead.
RADKIT_SERVICE_SUPERADMIN_PASSWORD_FD
Allows passing the password through a file descriptor, for example (on Linux or macOS):
$ RADKIT_SERVICE_SUPERADMIN_PASSWORD_FD=3 radkit-service run 3<secret.txt
This is mainly useful when invoking RADKit Service as a subprocess that inherits the open file descriptors of the parent process.
Note
This method will NOT save the password if you change it from the WebUI.
We recommend RADKIT_SERVICE_SUPERADMIN_PASSWORD_FILE instead.