How to securely store secrets in Docker container?

Docker Secrets is the new recommended method for sharing & storing secrets inside containers. Docker deliberately opted to store secrets in files under /run/secrets over the environment variable approach.


Generally speaking you have to assume tighter security for the instance that's running the container than the container itself because, as you point out, a compromise there affects everything downstream. This is the same with the VM host that's running your ec2 instance.

A standard solution is to pass secrets into the container via environment variable. I've also seen solutions (for secrets stored in Hashicorp Vault) that create a fuse filesystem that's mounted into the container or a similar approach using a Docker volume driver. This isn't quite as straightforward, but may be easier if you're passing lots of secrets.

Tags:

Docker

Environment Variables

Aws

Secret Sharing

Related

Is it OK to pass credentials to the client to allow it to upload files to Amazon S3? Does adding a password to BIOS prevent malware from infecting it? Is redirecting in htaccess providing enough security for sensitive pages? Is there a good 160 bit alternative for SHA-1? Is it possible to escalate privileges and escaping from a Docker container? Why is there no adoption of RFC 7616 (HTTP Digest Auth) Postgres password security Why is "hovering over" a link in an email considered safe? Or is it harmful? Which encryption algorithm is used in password protected *.pfx/PKCS 12 certificates? Whats the difference between an evil twin and a rogue access point? Is there a field length that is too short to allow harmful SQL injection? understanding the "Offering RSA public key" step during SSH connection initialization

Recent Posts