All geek questions in one place

Protecting Docker Environment Variables

I have a docker application to which I need to transfer the protected part of information, since it uses a passphrase to encrypt / decrypt the stored data. I am trying to understand how safe it is to use an environment variable to pass this information. I know that if I use

docker run -e passphrase="secretkey123" --name containername imagename

Then the value can be found:

 docker inspect containername

Thus, it should be stored somewhere on disk (in / var / lib / docker, I assume). Is there a safer way to pass an environment variable to docker? Should I use a temporary file in the volume associated with the host file system? Is there a better way?

+6
source share
1 answer

No matter where it is stored, it is clearly accessible through the docker inspector. I think it comes down to how safe you want it. For example, instead, you can use a shared volume with file permissions to restrict access to the password file on disk. Or you might have socker / ssh / etc, so you don’t have to put the password in a file on disk at all. It only depends on how much you really want to be safe.

I note that if you say the web server running in the container, I assume that if someone exits the web server, he will be able to access only what the container can receive (and not the host operating system, where docker works).

+3
source

Source: https://habr.com/ru/post/973455/

More articles:


All Articles