1

I'm experimenting with docker containers. More precise, I use docker-compose. I need to pass variables to my container and use an .env file for that. While that works, it makes my wonder how secure it is. I mean every script language has access to env and therefore any hack in the runnning application could expose sensitive data stored in env. I want to store data like db passwords.

Inspired by salt, I am looking for a way to safely pass my variables into my application template before building the container, instead of passing them into the env of the container. How could one achieve this?

moestly
  • 1,138
  • 8
  • 10

3 Answers3

1

nowadays you might use docker-compose.yml and insert a secrets part

docker-compose.yml

version: "3.6"

services:

  my_service:
    image: ubuntu:latest
    entrypoint: "wc -c /run/secrets/my_secret"
    secrets:
      - my_secret

secrets:
  my_secret:
    file: ./password.txt
Bash Stack
  • 420
  • 2
  • 6
1

There's an alternative using Docker Swarm called Docker secrets. A swarm allows you to have a cluster of docker engine nodes and you can create a one machine cluster if you wish. Basically you can use secrets that are stored in the Docker Swarm cluster that can be used when a service (a service will deploy tasks using containers in your cluster) is deployed in your cluster.

Docker secrets are explained here and you can even use them in your compose files. You have a nice example for your environment variables here.

I use docker secrets to store Amazon S3 credentials that are used inside my containers.

Miguel A. C.
  • 1,221
  • 10
  • 12
  • Thanks a lot. I went with `args` for the current setup. This is practical enough for this dev-project. Your answer ultimately answers my question. – moestly Dec 20 '17 at 23:40
-1

Hashicorp Vault is the tool you are looking for. Store insensitive data in an .env, and for secrets use Vault.

https://www.vaultproject.io/

user373333
  • 630
  • 1
  • 4
  • 12