1

I have a dockerized application that processes data fetched from 3rd party APIs. Now, API-token or password is required to work with these APIs. Currently, I'm supplying it to my script by setting the docker container's environment variables using a docker-compose file.

The problem with this approach is that the API credentials are stored in plain text in my docker-compose file. So I'm planning to first encrypt it and then storing it in the docker-compose file but with this approach, my script needs to know the decryption key using which the credentials are encrypted. Hard coding it in the script would not be the best possible option as anyone can view my script in running a docker container. So how to manage the decryption key? Is this even possible?

I explored "Docker secrets" but it seems that it's built for solving a different problem.

Here is a similar question without any answers: What is best way to secure secret keys with Docker in spring boot application

Some other references:

But these do not answer the question of decryption key management. Any high-level ideas and/or references are appreciated.

Kaushal28
  • 5,377
  • 5
  • 41
  • 72
  • Would this work for you? https://stackoverflow.com/questions/46648085/how-to-store-server-key-rsa-in-docker-compose-yml – Tin Nguyen Jun 26 '20 at 09:51
  • @TinNguyen Nope. It's about storing the key in docker-compose. The solution is storing the key in a separate file in plain text and creating a docker secret pointing to that file. But in my case, it won't work because the content of the file would be plain text and that's something I don't want. – Kaushal28 Jun 26 '20 at 09:56
  • You have to store something in plain text and that can be a key, token, whatever. If you don't want another user on the server being able to read that you need to set the permission that only a certain user or group can RW a file. Even if you manually run the docker CLI command in detach mode with the environment variables in CLI people can still see the plaintext environment variables. – Tin Nguyen Jun 26 '20 at 10:04

1 Answers1

0

Say you have two things:

  • A secure enclave to store such API key (e.g.: a different machine/VM, a private repo, a private docker container, a private mounted unit, etc..)
  • A secure way to access that enclave from your docker container (SSH, HTTPS, private HW access).

With this setup you could keep the API key in the secure enclave and access it only during runtime, ensuring that no piece of code leaks this info. If you want to add an extra layer, you could set up some type of authentication when retrieving the API key, some way to ensure that only your instance of your docker container is accessing it.

Encrypting the API key is unfortunately useless, since you're still gonna have to decrypt it before using it. In general, plain encryption is mostly useful for safe storage or safe communication. In your case there is no way to avoid having the API key in cleartext in RAM memory when sending your request.

ibarrond
  • 6,617
  • 4
  • 26
  • 45