1

Often, applications require some sort of credentials in their configuration files. Most applications do not support reading those credentials from another file except from the configuration file itself. Providing this configuration in a secure manner using Docker secrets would require the whole configuration to be a secret. I would however prefer to only store passwords and keys as secrets.

Is there a way to provide Docker secrets to applications requiring a configuration file (containing the secrets)?

I'm thinking about populating templates with the contents of Docker's secret files to generate the configuration files inside the container (for example using the container's entrypoint). What are the security related implications of this approach? Provided the configuration file's permissions are set appropriately, do the generated configuration files increase the risk of secret exposure?

EDIT: The applications in question are third-party, using the configuration files is necessary.

thertweck
  • 1,120
  • 8
  • 24
  • Take a look at Hashicorp Vault – Software Engineer Oct 05 '17 at 23:49
  • I did already, but Vault alone does not solve the problem since the secret has to end up in the application's configuration somehow (the application is third party, I can't implement Vault support there directly). However, Hashicorp's consul-template, which supports reading from Vault, provides similar functionality. I would want an approach like that, but based on Docker secrets. – thertweck Oct 05 '17 at 23:53

0 Answers0