As far as I understand, a problem with the idea of a pepper is that, if it’s stored as part of your code, then the hacker can read it if they can access your code.
So I was wondering, would it not be better to store the pepper in memory? I’m thinking of running the server in such a way that the pepper is made available to the server’s memory, without it being visible in the environment or in the process list or in the shell history. To obtain it, the hacker would need to run a memory debugger as the user that’s running the server, or as root. Maybe even run the process under something like RamCrypt, to encrypt its memory at runtime.
The scenario is that of running a server on a cloud Linux machine.
In that case, is there any better way of storing a pepper? Or is there something wrong with the in-memory idea?