Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is Docker Secrets more secure than environment variables?

Tags:

security

docker

environment-variables

docker-secrets

I'm reading up on Docker Secrets and keep reading that the folks at Docker deliberately chose storing secrets in files under /run/secrets rather than going with environment variables. But nowhere have I been able to find an explanation as to why.

So I ask: why is using the Docker Secrets mechanism more secure than injecting environment variables into my containers (via -e or a --env-file)?

like image 613
smeeb Avatar asked Jun 18 '17 14:06

smeeb

People also ask

How secure is docker secrets?

Secrets are encrypted during transit and at rest in a Docker swarm. A given secret is only accessible to those services which have been granted explicit access to it, and only while those service tasks are running.

Are environment variables secure docker?

However, env vars are not particularly secure either. They are visible via docker inspect , and hence they are available to any user that can run docker commands. (Of course, any user that has access to docker on the host also has root anyway.)

Should I use docker secrets?

Conclusion. Secrets are an important tool for any container-based architecture because they help us achieve the goal of keeping code and configuration separate. In addition, Docker secrets provide a way to securely store sensitive data and make it available to applications that need it.

Is docker in docker secure?

Conclusions. Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container. You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC, or another appropriate hardening system.

1 Answers

Because secrets are encrypted. From the documentation :

Secrets are encrypted during transit and at rest in a Docker swarm. A given secret is only accessible to those services which have been granted explicit access to it, and only while those service tasks are running.

you can also

use Docker secrets to centrally manage this data and securely transmit it to only those containers that need access to it.

The problem with environment variables is that all your passwords and ssh keys are stored in clear and all processes with the same privileges or more privileges as you, have also access to these credentials. In *nix OS, you can easily read environment variables of a process with a pid value of <pid> with :

cat /proc/<pid>/environ
like image 93
Ortomala Lokni Avatar answered Sep 19 '22 08:09

Ortomala Lokni
Sign in to Comment

Related questions

Permanent browser cache using ServiceWorker
Newtonsoft JSON.NET Security Vulnerability Implementation
OWASP ESAPI simpleTest in a Maven Java EE project
IIS7 give ApplicationPoolIdentity access to a network location
OpenID Connect will eventually replace SAML as the dominant protocol for SSO?
Could WASM be used to check integrity of a JS method?
Using runAsNonRoot in Kubernetes
Is createTextNode completely safe from HTML injection & XSS?
get SecKeyRef from base64 coded string
Securely storing an access token
Can I run Docker-in-Docker without using the --privileged flag
Files.exists(path) and path.toFile().exists() give different results for the same file
How to safely store & process secret key for JWT
Securing ELMAH while yet making it possible to access it via RSS Reader
A Guice-ready security framework?
Installing secure CodeIgniter with Sparks
How do I integrate HSM encryption with JAVA?
Azman Obsolete? What is the new alternative to Azman?
Increase reCAPTCHA session timeout
Generate base64 url-encoded X.509 format 2048-bit RSA public key with Swift?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!