In the fast-paced world of containerized applications, managing secrets is a critical aspect of maintaining security and compliance. Docker containers are no exception.
Containers offer numerous advantages, but they also introduce unique challenges when it comes to handling sensitive information like API keys, passwords, and cryptographic keys.
In this blog post, we’ll explore best practices for managing secrets in Docker containers to help you keep your applications secure and your data protected.
How can you manage secrets in docker?
There are many effective ways to store and manage secrets in Docker.
Docker provides a built-in feature called Docker Secrets, designed explicitly for managing sensitive data.
Docker Secrets allows you to store secrets in a secure manner and pass them to containers at runtime.
This feature is particularly useful for orchestrators like Docker Swarm and Kubernetes.
In this blog, we’ll walk through the process of creating and managing an example secret in Docker Swarm. Secret management is a crucial aspect of maintaining security in containerized environments, and Docker Swarm makes it easier than ever. Let’s dive in:
1. Creating secret
Before creating a secret, it is necessary to initiate Docker Swarm. You can do so using the following command:
docker swarm initTo create a Docker secret, use the command “docker secret create.” For instance, to make a secret named “my_secret” from a file called “secret.txt,” use this command:
docker secret create my_secret secret.txtEnsure that you delete the secret.txt file to avoid any security risks:
rm secret.txtTo verify the successful creation of the secret, you can execute the provided command:
docker secret lsCreate a Docker service that uses the secret:
docker service create --name my_service --secret my_secret my_image
In this example, we’ve created a service named “my_service” using the “docker service create” command. The –secret flag is used to specify the secret “my_secret” for the service. The service is created from the Docker image “my_image.”
- We can pass a Docker secret to a service defined in a “docker-compose.yml” file. Below is an example of a “docker-compose.yml” file that uses a secret for a service:
version: "3.7"
services:
my_app:
image: my_image
secrets:
- my_secrets
2. Docker compose
Docker Compose is a tool for defining and running multi-container Docker applications.
It allows you to define a multi-container environment in a single configuration file (commonly called docker-compose.yml) and then use a single command to start and manage all the containers in that environment.
Docker Compose simplifies application setup through a single configuration file, ensuring swift and uniform deployment across diverse environments.
For organizations handling sensitive data, Docker Compose offers an efficient secrets management solution. Secrets like passwords and API keys can be read from external files (e.g., TXT).
However, exercise caution to avoid committing these files alongside your code to maintain security.
version: '3.1'
services:
my_app:
image: my_image
secrets:
- my_secret
secrets:
my_secret:
file: ./secret.txt
3. Sidecar container
A common approach for securely managing and storing secrets within a Docker environment is the use of sidecar containers.
This method involves transferring secrets to the primary application container through a sidecar container, which may also function as a secrets manager or a secure service.
Here’s an illustration of this concept with a HashiCorp Vault sidecar for a MongoDB container:
Begin by creating a Docker Compose (docker-compose.yml) file comprising two services: “mongo” and “secrets.”
In the “secrets” service, employ an image that includes your chosen secret management tool, such as HashiCorp Vault.
Establish a volume mount from the “secrets” container to the “mongo” container. This connection allows the “mongo” container to access the secrets securely stored within the “secrets” container.
Within the “mongo” service, employ environment variables to configure the credentials required for the MongoDB database. These variables can reference the secrets stored in the mounted volume, ensuring secure access to sensitive data.
By adopting this strategy, you can enhance the security of your Dockerized applications by isolating and managing secrets in a dedicated sidecar container, promoting robust data protection practices.
version: '3.7'
services:
mongo:
image: mongo
volumes:
- secrets:/run/secrets
environment:
MONGO_INITDB_ROOT_USERNAME_FILE: /run/secrets/mongo-root-username
MONGO_INITDB_ROOT_PASSWORD_FILE: /run/secrets/mongo-root-password
secrets:
image: vault
volumes:
- ./secrets:/secrets
command: ["vault", "server", "-dev", "-dev-root-token-id=myroot"]
ports:
- "8200:8200"
volumes:
secrets:
4. Mozilla SOPS
SOPS is an open-source tool and workflow for managing secrets. It is designed to simplify and secure the process of handling sensitive data, such as passwords, API keys, and encryption keys, within configuration files, version control systems, and other environments.
version: '3.7'
services:
myapp:
image: myapp:latest
environment:
API_KEY: ${API_KEY}
secrets:
- mysecrets
sops:
image: mozilla/sops:latest
command: ["sops", "--config", "/secrets/sops.yaml", "--decrypt", "/secrets/mysecrets.enc.yaml"]
volumes:
- "/secrets:/secrets"
environment:
SOPS_PGP_PRIVATE_KEY: /secrets/myprivatekey.asc
secrets:
- mysecrets
external: true
Embedding secrets directly into Docker images poses significant security risks, leaving them susceptible to exploitation by malicious actors.
While exploring various best practices for avoiding the inclusion of plaintext secrets in Docker images, security considerations extend further, its crucial to conduct image scans for concealed secrets.
Docker files commence with a FROM directive, specifying the base image. It’s essential to grasp that utilizing a base image, particularly from a public repository like Docker Hub, involves importing external code, which might conceal hardcoded secrets.
The scope of exposure goes beyond what’s visible in your Dockerfile. In essence, it’s plausible to extract plaintext secrets hardcoded in a prior layer, starting from your image.
In reality, numerous public Docker images are susceptible to such issues. In 2021, Docker Hub images harbored at least one hidden secret.
Vigilance in scanning and scrutinizing your Docker images is paramount to maintaining a robust security posture in containerized environments.
Summing up
In conclusion, effective secrets management is a pivotal aspect of safeguarding the security of your containerized applications in Docker.
Docker itself provides valuable tools like Docker Secrets and Docker Compose files for this purpose.
However, organizations can enhance their secrets management practices by incorporating third-party solutions such as HashiCorp Vault and Mozilla SOPS.
These technologies offer advanced features like robust access control, encryption, and comprehensive audit logging, bolstering the overall security of secret management.
Furthermore, proactive measures to detect and mitigate accidental or unintended exposure of sensitive data are paramount when dealing with secrets in Docker.
