• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Company · Blog · Newsletter · Events · Partner Program

Downloads      Support      Security     Admin Login
Rublon

Rublon

Secure Remote Access

  • Product
    • Regulatory Compliance
    • Use Cases
    • Rublon Reviews
    • Authentication Basics
    • What is MFA?
    • Importance of MFA
    • User Experience
    • Authentication Methods
    • Rublon Authenticator
    • Remembered Devices
    • Logs
    • Single Sign-On
    • Access Policies
    • Directory Sync
  • Solutions
    • MFA for Remote Desktop
    • MFA for Remote Access Software
    • MFA for Windows Logon
    • MFA for Linux
    • MFA for Active Directory
    • MFA for LDAP
    • MFA for RADIUS
    • MFA for SAML
    • MFA for RemoteApp
    • MFA for Workgroup Accounts
    • MFA for Entra ID
  • Customers
  • Industries
    • Financial Services
    • Investment Funds
    • Retail
    • Technology
    • Healthcare
    • Legal
    • Education
    • Government
  • Pricing
  • Docs
Contact Sales Free Trial

Configuring the Rublon Authentication Proxy Secret Source

August 5, 2025 By Rublon Authors

Starting with version 3.8.0, you can store Rublon Authentication Proxy secrets in OS environment variables by setting the secret_source option to env in the global section of the config.

When secret_source is set to env, each secret’s value in the config file becomes the name of an environment variable, and Auth Proxy reads the actual secret value from that variable.

The Rublon Authentication Proxy secrets are:

  • rublon section:
    • system_token
    • secret_key
  • proxy_servers section:
    • RADIUS:
      • radius_secret
    • LDAP:
      • pkey_password (if used)
  • auth_sources section:
    • RADIUS:
      • radius_secret
    • LDAP:
      • access_user_password

Not Using Rublon MFA Yet?

Try our robust multi-factor authentication for 30 days for free and see how simple it is.

Start Free Trial No Credit Card Required

Configuration Example

log:
  debug: false

global:
  secret_source: env

rublon:
  api_server: https://core.rublon.net
  system_token: SYSTEM_TOKEN
  secret_key: SECRET_KEY

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    radius_secret: RADIUS_SECRET
    ip: 0.0.0.0
    port: 1812
    mode: standard
    auth_source: LDAP_SOURCE_1
    auth_method: email

  - name: LDAP-Proxy
    type: LDAP
    ip: 0.0.0.0
    port: 389
    auth_source: LDAP_SOURCE_1
    auth_method: email

auth_sources:
  - name: LDAP_SOURCE_1
    type: LDAP
    ip: 127.0.2.0
    port: 389
    transport_type: plain
    search_dn: OU=Organization,DC=org,DC=com
    access_user_dn: CN=AccessUser,OU=Organization,DC=org,DC=com
    access_user_password: ACCESS_USER_PW

  - name: RADIUS_SOURCE_1
    type: RADIUS
    ip: 127.0.1.0
    port: 1812
    radius_secret: RADIUS_SECRET

The preceding example sets secret_source to env. This means that the Rublon Auth Proxy will now treat the config file’s secret values as names of the environment variables to retrieve the actual secrets from the system. In this example, the Auth Proxy expects to find four variables defined in the system:

  • SYSTEM_TOKEN
  • SECRET_KEY
  • RADIUS_SECRET (used twice)
  • ACCESS_USER_PW

Setting Environment Variables (Windows)

After the installation of the Rublon Authentication Proxy on your Windows machine:

1. Open the Registry Editor.

2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RublonAuthProxy.

3. Add a new Multi-String Value (REG_MULTI_SZ) named Environment and add these lines in value data:

SYSTEM_TOKEN=token_value_here
SECRET_KEY=secret_value_here
RADIUS_SECRET=radius_secret_here
ACCESS_USER_PW=access_user_password_here
Image showing how to set the values of secrets in environment variables in Windows Registry.

4. Restart the Rublon Authentication Proxy service.

Setting Environment Variables (Linux)

After the installation of Rublon Authentication Proxy on your Linux machine:

1. Run:

systemctl edit rublon

2. Modify the service file by setting environment variables like this:

[Service]
Environment="SYSTEM_TOKEN=token_value_here"
Environment="SECRET_KEY=secret_value_here"
Environment="RADIUS_SECRET=radius_secret_here"
Environment="ACCESS_USER_PW=access_user_password_here"
Image showing how to set the values of secrets in environment variables on Linux.

3. Save the file and restart the proxy service:

systemctl restart rublon

Updating Environment Variables

Every time you change the environment variables used by the Rublon Authentication Proxy, you must restart the Auth Proxy service to apply the new values. The Auth Proxy reads environment variables at start-up and does not automatically update them later.

Benefits of Setting Secrets in Environment Variables

  • No Plaintext Secrets in Config File. The Auth Proxy config file contains environment variable names, not secret values. You do not have to redact anything before sharing the config file with the Rublon Support.
  • Simpler Update. Update the environment variables without touching the Auth Proxy config file. Simply restart the proxy after the update.
  • Separation of Duties. One admin can manage secret values in environment variables, while another admin can maintain the Auth Proxy config file.
  • Works with Standard Tooling. Systemd, Windows Services, containers, and CI/CD all support injecting environment variables.

Security Note


Environment variables reduce accidental exposure in shared files, but they are not a silver bullet. OWASP Secrets Management Cheat Sheet advises preferring a proper secrets vault and warns env vars may leak via process inspection, logs, or dumps; treat them as sensitive and limit exposure.

Practical Tips


  • Use a secrets manager as a source of truth.
  • Avoid printing env in logs.
  • Scope OS/service permissions tightly.

Summary

Switching secret_source to env keeps sensitive values out of the Auth Proxy config file and loads them from the operating system instead. Define the required environment variables, update the proxy config to reference their names, and restart the proxy service to apply changes. This approach yields cleaner configs and reduces accidental secret exposure in files.

Filed Under: Blog

Try Rublon for Free
Start your 30-day Rublon Trial to secure your employees using multi-factor authentication.
No Credit Card Required


Footer

Product

  • Regulatory Compliance
  • Use Cases
  • Rublon Reviews
  • Authentication Basics
  • What is MFA?
  • Importance of MFA
  • User Experience
  • Authentication Methods
  • Rublon Authenticator
  • Remembered Devices
  • Logs
  • Single Sign-On
  • Access Policies
  • Directory Sync

Solutions

  • MFA for Remote Desktop
  • MFA for Windows Logon
  • MFA for Remote Access Software
  • MFA for Linux
  • MFA for Active Directory
  • MFA for LDAP
  • MFA for RADIUS
  • MFA for SAML
  • MFA for RemoteApp
  • MFA for Workgroup Accounts
  • MFA for Entra ID

Secure Your Entire Infrastructure With Ease!

Experience Rublon MFA
Free for 30 Days!

Free Trial
No Credit Card Required

Need Assistance?

Ready to Buy?

We're Here to Help!

Contact

Industries

  • Financial Services
  • Investment Funds
  • Retail
  • Technology
  • Healthcare
  • Legal
  • Education
  • Government

Documentation

  • 2FA for Windows & RDP
  • 2FA for RDS
  • 2FA for RD Gateway
  • 2FA for RD Web Access
  • 2FA for SSH
  • 2FA for OpenVPN
  • 2FA for SonicWall VPN
  • 2FA for Cisco VPN
  • 2FA for Office 365

Support

  • Knowledge Base
  • FAQ
  • System Status

About

  • About Us
  • Blog
  • Events
  • Co-funded by the European Union
  • Contact Us

  • Facebook
  • GitHub
  • LinkedIn
  • Twitter
  • YouTube

© 2025 Rublon · Imprint · Legal & Privacy · Security

  • English
  • Polski (Polish)