Is there any way that sensitive information, such as ssh keys and other credentials can be read at service startup by root, prior to changing to the openhab user?
Requiring filesystem access to this content (as the openhab user) for the entirely of the openHAB execution is a significant security hole. It’s further exacerbated by Karaf having built-in ssh, the rules being able to execute arbitrary code as the openhab user, and that no chroot is performed.