Docker Secrets are config files that contain sensitive information, like passwords, tokens, and keys. Unlike most applications where users authenticate (enter a username and password) to access your database or other components, Docker uses environment variables to expose the secrets’ values. You can set those container environment variables however you wish–but remember: they are accessible in plain text, so you should always strive to keep your secrets secret. You can manage Docker Secrets and access them from within the container, yet expose their values to other applications as environment variables outside of the container as well. This means that you could have different ‘versions’ of an application, each using a different version of your database schema, for example, each one using a different database username and password.
So how can you keep your secrets safe? Here are a few tips:
1. Use the latest Docker version and TLS (SSL) encryption to connect to the repository. This will help avoid tampering with your secrets as they are transported across networks. Doing so can be complicated with older versions of Docker, so it’s worth investing the time in upgrading to the latest version. The thing is, newer versions of Docker also have additional security features, like exposing secrets and providing a secure way to store and share them.
2. Use a secret management solution like HashiCorp Vault or Google Cloud’s Key Management Service, which work closely with Docker Secrets. These services will help you store your secrets securely and make sure they are only accessible to the approved users with access. For example, if you have a dev/test environment and need secrets to be accessed by that network, only the users with access should be able to see them. This means that your secrets management solution needs to have fine-grained access controls for it to work well with Docker. Thankfully, both Vault and KMS are configured this way.
3. Use the Docker Secrets Volume Driver, which allows you to mount a volume from your containers to another location, like a file system or block device outside of the container, but still have access to those values inside the container. In this way, you can expose secrets as plain text on an environment variable outside the container and make sure they are not visible inside the container. Being able to mount volumes and specific directories or files on a container has many other benefits as well. For example, you can use Docker Secrets Volume Driver to store your secrets in one place, like a mounted volume, instead of writing them directly into your Dockerfile. This helps reduce clutter and ensures that changes to a secret can be tracked more easily.
4. Take advantage of role-based access control (RBAC) within your containers, and limit the users who should have access to these secrets or the applications that use them. For example, if you are using an orchestrator like Kubernetes, you could limit specific user roles only to be able to access secrets that are relevant to their role.
5. Always encrypt sensitive data (passwords, API keys) before adding them as Docker Secrets. This ensures that potential hackers can’t access your passwords even if they get ahold of your secret file or repository.
6. Regularly rotate your secrets to avoid having somebody accidentally leave a copy of a secret lying around, or worse: be targeted by hackers who have access to it. Vault and KMS both have options for rotating secrets automatically, so you don’t have to worry about forgetting!
7. Use strong passwords and keys to access your secrets, and don’t expose them to the public. This will make it more difficult for hackers to get at your secrets, especially if they use long, complicated passwords or keys (such as with an SSH key).
Keeping your Docker Secrets secure is easy when you follow these tips and remember some basic security principles: encrypt, rotate, and store your secrets securely. Nothing is worse than having your database credentials stolen and rebuilding the whole application. So do yourself a favor, and keep your secrets safe.