7

I'm using the mysql image as an example, but the question is generic.

The password used to launch mysqld in docker is not visible in docker ps however it's visible in docker inspect:

sudo docker run --name mysql-5.7.7 -e MYSQL_ROOT_PASSWORD=12345 -d mysql:5.7.7

CONTAINER ID        IMAGE               COMMAND                   CREATED             STATUS              PORTS               NAMES
b98afde2fab7        mysql:5.7.7         "/entrypoint.sh mysq   6 seconds ago       Up 5 seconds        3306/tcp            mysql-5.7.7

sudo docker inspect b98afde2fab75ca433c46ba504759c4826fa7ffcbe09c44307c0538007499e2a

"Env": [
        "MYSQL_ROOT_PASSWORD=12345",
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
        "MYSQL_MAJOR=5.7",
        "MYSQL_VERSION=5.7.7-rc"
    ]

Is there a way to hide/obfuscate environment parameters passed when launching containers. Alternatively, is it possible to pass sensitive parameters by reference to a file?

Sergei Rodionov
  • 4,079
  • 6
  • 27
  • 44
  • 2
    duplicate of http://security.stackexchange.com/questions/70827/passing-secret-keys-securely-to-docker-containers ? – user2915097 Jun 10 '15 at 07:48
  • @user2915097 - Some good information in the security.EX link but it doesn't provide a solution for passing environment variables as a file to docker? It rather concludes that if access to docker is obtains, all bets are off. I'm looking for some practical ways of passing env. variables to container without exposing them as plain text to `info` or `inspect` – Sergei Rodionov Jun 10 '15 at 07:55
  • you can pass an encrypted password and decrypt it in the container before using it, it adds a level – user2915097 Jun 10 '15 at 09:36
  • 1
    you say "Alternatively, is it possible to pass sensitive parameters by reference to a file?" , extract from the doc http://docs.docker.com/reference/commandline/cli/#run `--env-file=[] Read in a file of environment variables` – user2915097 Jun 10 '15 at 11:33
  • @user2915097 - super, I somehow missed it. – Sergei Rodionov Jun 10 '15 at 11:50

2 Answers2

10

Weirdly, I'm just writing an article on this.

I would advise against using environment variables to store secrets, mainly for the reasons Diogo Monica outlines here; they are visible in too many places (linked containers, docker inspect, child processes) and are likely to end up in debug info and issue reports. I don't think using an environment variable file will help mitigate any of these issues, although it would stop values getting saved to your shell history.

Instead, you can pass in your secret in a volume e.g:

$ docker run -v $(pwd)/my-secret-file:/secret-file ....

If you really want to use an environment variable, you could pass it in as a script to be sourced, which would at least hide it from inspect and linked containers (e.g. CMD source /secret-file && /run-my-app).

The main drawback with using a volume is that you run the risk of accidentally checking the file into version control.

A better, but more complicated solution is to get it from a key-value store such as etcd (with crypt), keywhiz or vault.

Adrian Mouat
  • 44,585
  • 16
  • 110
  • 102
  • Neat, please post a link to the article once it is ready. Hopefully there will be a reference to a sample Dockerfile. The env file could be deleted after launch, by the way. – Sergei Rodionov Jun 10 '15 at 12:24
  • If you're referring to passing a file with --env-file, the vars will still be visible to docker inspect and linked containers even if you delete the file. The article is really a section of my book, but I might write a separate blog as well. – Adrian Mouat Jun 10 '15 at 13:29
  • 1
    A variation on a file volume is a central config management store like Etcd or Consul. See also the vault project designed to save secrets securely. Comes from the same people that built consul and can be deployed with it. This is a hard problem to solve properly: https://vaultproject.io/ – Mark O'Connor Jun 10 '15 at 16:33
1

You say "Alternatively, is it possible to pass sensitive parameters by reference to a file?", extract from the doc http://docs.docker.com/reference/commandline/run/ --env-file=[] Read in a file of environment variables.

Dan K.K.
  • 5,915
  • 2
  • 28
  • 34
user2915097
  • 30,758
  • 6
  • 57
  • 59