How to use `docker secret` to prevent secrets from being seen in plain text by unauthorized individuals

How to use `docker secret` to prevent secrets from being seen in plain text by unauthorized individuals

I am exploring how to use docker secrets, but all the secrets are visible in plain text format to anyone who can use the docker command. How do I ensure all secrets are sufficiently protected and not as readily accessible to unauthorized individuals?

Here is what I did:

I made a file called docker-compose.yml with the following content:

services:
   db:
     image: mysql:latest
     volumes:
       - db_data:/var/lib/mysql
     environment:
       MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
       MYSQL_DATABASE: nuclear_launch_codes
       MYSQL_USER: president_of_usa
       MYSQL_PASSWORD_FILE: /run/secrets/db_password
     secrets:
       - db_root_password
       - db_password
secrets:
   db_password:
     external: true
   db_root_password:
     external: true

volumes:
    db_data:

Then I ran these three commands:

docker swarm init;
printf "test123" | docker secret create db_root_password -
printf "test123" | docker secret create db_password -
docker stack deploy -c docker-compose.yml dbtest
docker ps -a

I see these results.

CONTAINER ID   IMAGE          COMMAND                  CREATED         STATUS         PORTS                 NAMES
b58e975bb8d9   mysql:latest   "docker-entrypoint.s…"   3 seconds ago   Up 2 seconds   3306/tcp, 33060/tcp   dbtest_db.1.xxfnhutnbfdygjukcffx5k8ct

I then ran this command:

docker exec -it dbtest_db.1.xxfnhutnbfdygjukcffx5k8ct cat /run/secrets/db_root_password

I see this result

test123

What is the idiomatic docker way to ensure test123 is not revealed as the value for db_root_password and db_password?

---

Note - Previously, I would manage secrets within the applications as opposed to relying on docker. Using the above as an example, I think once MySQL is running for the first time, I can probably remove any mention of passwords from the environment: section and completely remove the secrets: section, because mysql probably already saved and encrypted the passwords within its own storage devices, and mysql no longer needs to reference passwords again from other sources. This means I can have two docker-compose files:

• docker-compose.setup.yml that I use only once for initial set up, and it references external secrets
• docker-compose.run.yml that I use for subsequent usage of mysql, and it no longer references any secrets

My approach seems very cumbersome and doesn't feel very conventional. What is the proper way to protect secrets in docker?