Why are Docker Secrets considered safe?

Question

I read about docker swarm secrets and did also some testing. As far as I understood the secrets can replace sensitive environment variables provided in a docker-compose.yml file (e.g. database passwords). As a result when I inspect the docker-compose file or the running container I will not see the password. That's fine - but what does it really help?

If an attacker is on my docker host, he can easily take a look into the /run/secrets

docker exec -it df2345a57cea ls -la /run/secrets/

and can also look at the data inside:

docker exec -it df27res57cea cat /run/secrets/MY_PASSWORD

The same attacker can mostly open a bash on the running container and look how its working....

Also if an attacker is on the container itself he can look around.

So I did not understand why docker secrets are more secure as if I write them directly into the docker-compose.yml file?

Answer 1

A secret stored in the docker-compose.yml is visible inside that file, which should also be checked into version control where others can see the values in that file, and it will be visible in commands like a docker inspect on your containers. From there, it's also visible inside your container.

A docker secret conversely will encrypt the secret on disk on the managers, only store it in memory on the workers that need the secret (the file visible in the containers is a tmpfs that is stored in ram), and is not visible in the docker inspect output.

The key part here is that you are keeping your secret outside of your version control system. With tools like Docker EE's RBAC, you are also keeping secrets out of view from anyone that doesn't need access by removing their ability to docker exec into a production container or using a docker secret for a production environment. That can be done while still giving developers the ability to view logs and inspect containers which may be necessary for production support.

Also note that you can configure a secret inside the docker container to only be readable by a specific user, e.g. root. And you can then drop permissions to run the application as an unprivileged user (tools like gosu are useful for this). Therefore, it's feasible to prevent the secret from being read by an attacker that breaches an application inside a container, which would be less trivial with an environment variable.