Menu
I have a docker application that I need to pass a secure piece of information to, since it uses a passphrase to encrypt/decrypt stored data. I'm trying to figure out how safe it is to use an environment variable to pass in this information. I know that if I use
docker run -e passphrase="secretkey123" --name containername imagename
Then the value can be found by:
docker inspect containername
Thus it must be stored somewhere on disk (in /var/lib/docker I assume). Is there any more secure way to pass an environment variable to docker? Should I use a temporary file in a volume linked to the host filesystem instead? Is there a better way?
497
Developers often rely on environment variables to store sensitive data, which is okay for some scenarios but not recommended for Docker containers. Environment variables are even less secure than files. They are vulnerable in more ways, such as: Linked containers.
Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container. You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC, or another appropriate hardening system.
When we launch our Docker container, we can pass environment variables as key-value pairs directly into the command line using the parameter –env (or its short form -e). As can be seen, the Docker container correctly interprets the variable VARIABLE1.
Regardless of where it is stored, it is clearly accessible via "docker inspect". I think it boils down to how secure you want it to be. For example, you can instead have a shared volume with file permissions to restrict access to a password file on disk. Or you could have a socker/ssh/etc to avoid putting the password into a file on disk at all. It just depends on how secure you really want to be.
I do note that if you have say a web server running in a container, I assume if someone breaks out of the web server they can only access what the container can access (and not the host OS where docker is running).
194
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
