Docker Secrets


In this blog, we will be learning Docker secrets. Docker secrets offer a secure way to store sensitive information such as usernames, passwords, and even files like self-signed certificates, ssh keys. 


Consider the below command -

[email protected]:~# #docker run --name some-mysql -e MYSQL_ROOT_PASSWORD=mypassword -d mysql:tag



It's not a secure way to share the password through the command line or through the environment variable.

Let's dive right in and see how to create secrets.


docker secret create

Creates a secret using standard input or from a file for the secret content.


Syntax

$ docker secret create [OPTIONS] SECRET [file|-]

Options

--driver , -d: Secret driver
--label , -l: Secret labels
--template-driver: Template driver


Examples


Creating a secret-

# docker secret secretName -


Do not miss the ‘-’ in the last, as it reads the standard input.

The above command will expect an input from you which will be the password. Enter the password and hit ctrl+D to exit -

example:

root@master:~# docker secret create dbpass -
mytestpassword
zkdsviynv8bogg6eu32c4rhh0
root@master:~# docker secret ls
ID                          NAME      DRIVER    CREATED          UPDATED
zkdsviynv8bogg6eu32c4rhh0   dbpass              16 seconds ago   16 seconds ago
root@master:~#


Let's inspect the above password to check if it is exposing any of the provided secrets -

root@master:~# docker secret inspect dbpass
[
    {
        "ID": "zkdsviynv8bogg6eu32c4rhh0",
        "Version": {
            "Index": 340
        },
        "CreatedAt": "2021-11-21T19:04:28.242077255Z",
        "UpdatedAt": "2021-11-21T19:04:28.242077255Z",
        "Spec": {
            "Name": "dbpass",
            "Labels": {}
        }
    }
]
root@master:~#

This was one of the ways to encrypt the data.


You can also provide the password using a stored file.

Create a file testpw and add password mytestpwfile in it.

root@master:~# echo "mytestpwfile">testpw
root@master:~# ls
testpw
root@master:~# cat testpw
mytestpwfile
root@master:~#



To create the secret using this file, run the following command-

root@master:~# docker secret create mytestfile testpw
oq4t76x6ird65lg5t25jfeams
root@master:~# docker secret ls
ID                          NAME         DRIVER    CREATED          UPDATED
zkdsviynv8bogg6eu32c4rhh0   dbpass                 20 minutes ago   20 minutes ago
oq4t76x6ird65lg5t25jfeams   mytestfile             14 seconds ago   14 seconds ago
root@master:~#



The secret we created can only be used by the service it is being assigned to. 

[email protected]master:~# docker service create -d --secret dbpass alpine ping 8.8.8.8
vr9b3nmkt7o5lcki0ogusi4ck
[email protected]master:~# docker service ps vr
ID             NAME                      IMAGE           NODE       DESIRED STATE   CURRENT STATE           ERROR     PORTS
87s41vxfd7sd   agitated_grothendieck.1   alpine:latest   worker01   Running         Running 8 seconds ago
[email protected]master:~#



The above command makes sure that this service container only will have the right to use the dbpass secret.

Where does the docker save the secrets?

Docker swarm worker nodes save the secrets at the path /run/secrets/.  And this can be verified as follows -

on worker01 node where service's container available

[email protected]:~# docker ps
CONTAINER ID   IMAGE           COMMAND          CREATED          STATUS          PORTS     NAMES
69c1447b6e51   alpine:latest   "ping 8.8.8.8"   15 seconds ago   Up 15 seconds             agitated_grothendieck.1.87s41vxfd7sdu0mkms2cdwkch
[email protected]:~# docker container exec -it 69 sh
/ # cd /run/secrets/
/run/secrets # ls
dbpass
/run/secrets # cat dbpass
mytestpassword
/run/secrets #