How to use `docker secret` to prevent secrets from being seen in plain text by unauthorized individuals
I am exploring how to use docker secrets, but all the secrets are visible in plain text format to anyone who can use the docker
command. How do I ensure all secrets are sufficiently protected and not as readily accessible to unauthorized individuals?
Here is what I did:
I made a file called docker-compose.yml
with the following content:
services:
db:
image: mysql:latest
volumes:
- db_data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
MYSQL_DATABASE: nuclear_launch_codes
MYSQL_USER: president_of_usa
MYSQL_PASSWORD_FILE: /run/secrets/db_password
secrets:
- db_root_password
- db_password
secrets:
db_password:
external: true
db_root_password:
external: true
volumes:
db_data:
Then I ran these three commands:
docker swarm init;
printf "test123" | docker secret create db_root_password -
printf "test123" | docker secret create db_password -
docker stack deploy -c docker-compose.yml dbtest
docker ps -a
I see these results.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b58e975bb8d9 mysql:latest "docker-entrypoint.s…" 3 seconds ago Up 2 seconds 3306/tcp, 33060/tcp dbtest_db.1.xxfnhutnbfdygjukcffx5k8ct
I then ran this command:
docker exec -it dbtest_db.1.xxfnhutnbfdygjukcffx5k8ct cat /run/secrets/db_root_password
I see this result
test123
What is the idiomatic docker way to ensure test123
is not revealed as the value for db_root_password
and db_password
?
Note - Previously, I would manage secrets within the applications as opposed to relying on docker. Using the above as an example, I think once MySQL is running for the first time, I can probably remove any mention of passwords from the environment:
section and completely remove the secrets:
section, because mysql probably already saved and encrypted the passwords within its own storage devices, and mysql no longer needs to reference passwords again from other sources. This means I can have two docker-compose files:
docker-compose.setup.yml
that I use only once for initial set up, and it references external secretsdocker-compose.run.yml
that I use for subsequent usage of mysql, and it no longer references any secrets
My approach seems very cumbersome and doesn't feel very conventional. What is the proper way to protect secrets in docker?