I'm reading up on Docker Secrets and keep reading that the folks at Docker deliberately chose storing secrets in files under /run/secrets
rather than going with environment variables. But nowhere have I been able to find an explanation as to why.
So I ask: why is using the Docker Secrets mechanism more secure than injecting environment variables into my containers (via -e
or a --env-file
)?
Secrets are encrypted during transit and at rest in a Docker swarm. A given secret is only accessible to those services which have been granted explicit access to it, and only while those service tasks are running.
However, env vars are not particularly secure either. They are visible via docker inspect , and hence they are available to any user that can run docker commands. (Of course, any user that has access to docker on the host also has root anyway.)
Conclusion. Secrets are an important tool for any container-based architecture because they help us achieve the goal of keeping code and configuration separate. In addition, Docker secrets provide a way to securely store sensitive data and make it available to applications that need it.
Conclusions. Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container. You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC, or another appropriate hardening system.
Because secrets are encrypted. From the documentation :
Secrets are encrypted during transit and at rest in a Docker swarm. A given secret is only accessible to those services which have been granted explicit access to it, and only while those service tasks are running.
you can also
use Docker secrets to centrally manage this data and securely transmit it to only those containers that need access to it.
The problem with environment variables is that all your passwords and ssh keys are stored in clear and all processes with the same privileges or more privileges as you, have also access to these credentials. In *nix OS, you can easily read environment variables of a process with a pid value of <pid>
with :
cat /proc/<pid>/environ
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With