I taught myself QuickBasic as it was the only thing I knew that was related to copying C64 BASIC out of magazines. (QBasic was packaged with DOS 3.11 I think and I was able to get a full copy of QuickBasic somehow. That was about +30 years ago? Dunno. I was about 12 at the time.) I didn’t know what other languages were out there besides TurboPascal. I did learn simple Pascal, but that was a short chapter.

I actually met someone else in the area that was learning to code, and of course, we wanted to write a game. The only way to code for a mouse at the time was to write an INT33 handler, so it kicked off our interest in asm. (I still use asm for MCU stuff on occasion, but it’s limited.) I quickly diverged into writing some really nifty… eh… “boot sector code” so that kicked off my career in security.

And yeah, it’s the same phenomenon for me: I just think in terms of bits and bytes getting shifted around and I still refuse to believe in “magic”. (Slight jab at Rust coders there, but in good fun.)

Fast forward to today, I train “kids” fresh out of college as part of my job now. The first thing I do is start giving them weird tasks that require they actually understand how something like an fopen() actually works.

(Funny story. I refused to “show my work” in math class for simple f(x) problems as I viewed it as unoptimized code. Lulz. I was such an autistic dork.)

That, 200%!

When I started in computers, years ago, I transitioned from QuickBasic directly into assembly. Ever since then, I can kinda “read the Matrix” (Blond, Brunette, Redhead…) and forget about how confusing a raw binary or how a mess of a dmp looks to someone else. (To me, I really just see patterns and nothing massively complicated.)

“It’s just data.” - You would be surprised how fuzzy that statement is for some people. It’s almost exactly like telling someone who doesn’t speak any English that “the sky is blue”. It’s totally cool though! Learning about the internals of any computer is really just a very long chain of “aha moments” as many concepts aren’t intuitive.

I would look into something like Doppler instead of Vault. (I don’t trust any company acquired by IBM. They have been aquiring and enshittifying companies before there was even a name for it.)

Look into how any different solutions need their keys presented. Dumping the creds in ENV is generally fine since the keys will need to be stored and used somehow. You might need a dedicated user account to manage keys in its home folder.

This is actually a host security problem, not generally a key storage problem per se. Regardless of how you have a vault setup, my approach here is to create a single host that acts as a gateway for the rest of the credentials. (This applies to if keys are stored in “the cloud” or in a local database somewhere.)

Since you are going to using a Pi, you should focus on that being a restricted host: Only run your chosen vault solution on it. Period. Secure and patch it to the best of your ability and use very specific host firewall rules for minimum connectivity. Ie: Have one user for ssh in and limit another user account to managing vault, preferably without needing any kind of elevated access. This is actually a perfect use case for SELinux since you can put in some decent restrictions on the host for a single app (and it’s supporting apps…)

If you are paranoid enough to run a HIDS, you can turn on all the events for any type of root account actions. In theory once the host is configured, you shouldn’t need root again until you start performing patches.

I dump memory more often than you would think. It’s usually not obfuscated or encrypted in any meaningful way even though it is fairly trivial to do so.

It’s good practice to scour through any bloatware installed on windows laptops. Since bloatware is generally written by the lowest bidder, you can find all kinds of keys and phone-home urls (sometimes with all the parameters) and other weird things. Just fire up a decent hex editor and search for strings in the dump file. You don’t need to know jack about reverse engineering either.

That’s what you just got shown: Shove the configgy bits into Git.

You will likely have to find the configs you want to save first.

Meh, I didn’t mean to hate on DHCP. It’s just a service I have learned to keep running all by itself somewhere in a dark corner of my network. DNS and DHCP are just services that I don’t like going down. Ever.

DHCP is a really stupid* service for the most part. Unless you are working with multiple subnets or have some very specific settings you need to pass to your clients, it’s probably not worth it to manage it yourself. I don’t want to discourage you though! Assigning static IP addresses by MAC can be extremely useful and is not always an option on routers. If you want static names and dynamic addresses, that is really where you need to manage both DNS and DHCP. It really depends on how and where you want names to be resolved and what you are trying to accomplish. (*stupid as in, it’s a really simple service. You want it simple because when DHCP breaks, you have other serious issues going on.)

Setting up your own DNS is worth its weight in gold. You can put it just about anywhere on your network (before your gateway, after, in China, whatever.) and your network won’t even know the difference if setup correctly. You can point BIND at the root servers and bypass your ISP completely if you want. ISP DNS services suck ass, so regardless of you resolve yourself, or forward all name queries to your anon DNS server of choice you have a really decent level of control on your network. It is the service to learn if you want to keep an eye on where your network wants to talk.

Your Unifi USG must play nice with your own server, by the laws of DNS. There may be some nuances when it comes to internal protocols like WINS, but other than that, it should be just fine.

I would setup a simple VM somewhere first, to answer your actual question. It’s good practice to keep core services isolated on their own, dedicated instances. This is to speed up recovery time and minimize down time. Even on your home network, DNS and DHCP are services you do not want going down. It’s always a pain when they do go down.

Ditto. I was in an unlucky block of dynamic IPs from my ISP once. Not only was sending or receiving email out of the question, my IP addresses were somehow part of firewall blacklists as well. I couldn’t get to banks at all and tons of random places were just dropping my traffic. It was a serious pain.