What are the best practices with storing sensitive data with Podman 3.0. Looks like from Podman 3.1 we have Podman Secrets which provides ability to create and manage secrets file. What would be the approach with 3.0?
Asked
Active
Viewed 688 times
1 Answers
0
From what I gather, there is no general best practice due to how different set-ups can be. The amount of security you need depends on how valuable the thing that you're trying to protect is. The system's requirements and architecture also matter a lot, including whether you're using cloud vendors and orchestration.
I'll presume you're experimenting with a simple application on a trusted machine, in which case it seems acceptable to mount the secret using a volume i.e., podman run -v $(pwd)/.env:/app/.env my-app. This means that the secret is contained to your host machine. In other words, your secret is never exposed in the container image so you won't, for example, accidentally leak anything in a publicly available repository. Should your set-up be more complicated, please update your question to be more specific.
Please note that your container might not have access rights to the secret if you're running SELinux. In that case, add :Z or :z or --privileged. Please see e.g., this question more details and be careful not to mount anything that can be harmed by relabeling e.g., .ssh.
Jesper Olsson
- 1
- 1