Geek Answers Handbook

Docker and Runtime Confidential Information

We are laying down an application (written in Node.js) that needs access to some sensitive data at runtime (API tokens for different services), and I cannot find any recommended approach to solve this problem.

Some information:

  • Sensitive information is not in our code base, but it is stored in another repository in an encrypted format.
  • In our current deployment without Docker, we update the code base with git, and then manually copy sensitive information through SSH.
  • Docker images will be stored in a private, self-contained registry.

I can think of different approaches, but they all have some disadvantages:

  • Include confidential information in Docker images during build. This is by far the easiest; however, it makes them available to everyone who has access to the image (I don’t know if we need to trust the registry so much).
  • Like 1, but has credentials in the image for data only.
  • Create a volume in the image that references the directory in the main system and manually copy the credentials via SSH, as we are doing right now. This is also very convenient, but then we cannot easily create new servers (perhaps we could use something like etcd to synchronize them?)
  • Pass the information as environment variables. However, we now have 5 different pairs of API credentials, which makes this a bit inconvenient. Most importantly, however, we will need to save another copy of the sensitive information in the configuration scripts (the commands that will be executed to launch the Docker images), and this can easily create problems (for example, credentials accidentally included in git, etc. )

PS: I did some research, but could not find anything similar to my problem. Other issues (such as this one ) dealt with important information needed during assembly; in our case, we need information at runtime

+5
source share
1 answer

I have used your options 3 and 4 to solve this in the past. Rephrase / Clarify:

Create a volume in the image that references the directory on the host system and manually copy the credentials via SSH, as we are doing right now.

I use configuration management (Chef or Ansible) to configure credentials on the host. If the application accepts a configuration file that needs API tokens or database credentials, I use configuration management to create this file from the template. A chef can read credentials from an encrypted packet of data or attributes, configure files on the host, and then run a container with the volume as you describe.

Please note that the container may need a shell to run the application. The wrapper copies the configuration file from any level installed at the place where the application expects it, then launches the application.

Pass the information as environment variables. However, we now have 5 different pairs of API credentials, which makes this a bit inconvenient. Most importantly, however, we will need to save another copy of the sensitive information in the configuration scripts (the commands that will be executed to launch the Docker images), and this can easily create problems (for example, credentials accidentally included in git, etc. )

Yes, it is cumbersome to pass a bunch of env variables using the -e key=value syntax, but I prefer to do this. Remember that variables are still available to everyone who has access to the Docker daemon. If your docker run is programmed, it's easier.

If not, use the --env-file flag as discussed here in the Docker docs . You create a file with key = value pairs, then start the container using this file.

 $ cat >> myenv << END FOO=BAR BAR=BAZ END $ docker run --env-file myenv

This myenv file can be created using the chef / config control as described above.

If you host on AWS, you can use KMS here. Store either the env file or the configuration file (which is passed to the container in the volume), encrypted through KMS. In the container, use a script wrapper to call KMS, decrypt the file, move it to host and launch the application. Therefore, configuration data is not displayed on disk.

+3
source

More articles:


All Articles