5

Recently, started building docker image for my application. Application uses few secret keys which are used to connect other microservices. I read about the docker secrets with swarm mode which hold the application secrets and I made changes in application to accepts the docker secrets. I created secrets using command..

    printf "my-secrets12345" | docker secret create adminpassword

Then I deployed service using following command with docker-compose file..

    version: '3.1'
    services:
      testService:
        secrets:
         - adminpassword
        image: "test-docker-secret:latest"
        #container_name: test-docker-secret
        ports:
         - "8080:8080"
        environment:
          SPRING_PROFILES_ACTIVE: dev
          SERVER_SSL_ENABLED: "true"
        volumes:
         - /home/tridev/pathtocerts/:/tmp/certificates/
    secrets:
      adminpassword:
        external: true

and the deployed 

    docker stack deploy --compose-file=test-stack-compose.yml testservice

And all after this my service started and working as expected, Here I thought my secrets are not visible to anyone in plain text and secure now. But when I went inside the container and browsed the directory /run/secrets/, here I can see all my secrets in plain text. Also I can see my secrets from host machine by using 

    docker container exec $(docker ps --filter name=testservice -q) cat /run/secrets/adminpassword

Here, I see If anyone get access to my container or service he can see secrets and access data from other services. Here It feels like docker secrets are illusionist and secrets are visible.

Is there any other way with docker where I can store secret keys securely?

Pandey Amit
  • 657
  • 6
  • 19
  • 3
    Well, your application needs to somehow use the secret in its plain form. If you don't want the secret to be its plain form all the way to the application, you just have to encode/encrypt the password before passing to your application and your application just need to compare hash (for encode method) or decrypt (for encrypt method). – Lukman Jun 16 '20 at 16:22
  • 2
    Hey, I have the same problem. This functionality seems like docker manages the secrets securely but it's easily accessible from the container. Also, you have created the secret using `printf` command but I use docker-compose, so I need a plain text file storing the secrets which will be then mounted to `/run/secrets/` a mentioned here: https://stackoverflow.com/questions/53751168/docker-compose-secrets-without-swarm. So only solution I see is to encrypt the keys somehow and provide it to the application and then the application will decrypt it. – Kaushal28 Jun 26 '20 at 08:29

1 Answers1

0

Yes that sums it pretty much up, I am also unhappy that the secrets are basically plain text in the docker container, readonly, but still plain text.

You have to add another layer of encryption:

https://medium.com/javarevisited/how-to-encrypt-secrets-in-an-spring-boot-application-57a60c8abaa7

Basically you need to preencrypt the secrets and then let the plugin handle the decryption during config file read level. How often and if you change/rotate keys is then up to you (every key change needs to retrigger a container restart with a new/updated key)

Either way there is no easy 5 minutes fix to this.

werner
  • 71
  • 6