Docker and securing passwords
Definitely it is a concern. Dockerfiles are commonly checked in to repositories and shared with other people. An alternative is to provide any credentials (usernames, passwords, tokens, anything sensitive) as environment variables at runtime. This is possible via the -e
argument (for individual vars on the CLI) or --env-file
argument (for multiple variables in a file) to docker run
. Read this for using environmental with docker-compose.
Using --env-file
is definitely a safer option since this protects against the secrets showing up in ps
or in logs if one uses set -x
.
However, env vars are not particularly secure either. They are visible via docker inspect
, and hence they are available to any user that can run docker
commands. (Of course, any user that has access to docker
on the host also has root anyway.)
My preferred pattern is to use a wrapper script as the ENTRYPOINT
or CMD
. The wrapper script can first import secrets from an outside location in to the container at run time, then execute the application, providing the secrets. The exact mechanics of this vary based on your run time environment. In AWS, you can use a combination of IAM roles, the Key Management Service, and S3 to store encrypted secrets in an S3 bucket. Something like HashiCorp Vault or credstash is another option.
AFAIK there is no optimal pattern for using sensitive data as part of the build process. In fact, I have an SO question on this topic. You can use docker-squash to remove layers from an image. But there's no native functionality in Docker for this purpose.
You may find shykes comments on config in containers useful.
Our team avoids putting credentials in repositories, so that means they're not allowed in Dockerfile
. Our best practice within applications is to use creds from environment variables.
We solve for this using docker-compose
.
Within docker-compose.yml
, you can specify a file that contains the environment variables for the container:
env_file:
- .env
Make sure to add .env
to .gitignore
, then set the credentials within the .env
file like:
SOME_USERNAME=myUser
SOME_PWD_VAR=myPwd
Store the .env
file locally or in a secure location where the rest of the team can grab it.
See: https://docs.docker.com/compose/environment-variables/#/the-env-file
Docker now (version 1.13 or 17.06 and higher) has support for managing secret information. Here's an overview and more detailed documentation
Similar feature exists in kubernetes and DCOS