Question 84629 in Docker Question posted in
The official documentation can be found here.

Do Docker secrets provide any additional security over a bind mount?

From what I understand, Docker secrets and mounts (bind and volume) are all secure ways of managing secrets within a Docker container. I am wondering whether secrets has any security advantages?

I have an arbitrarily sized group of secrets. The secrets are kept in separate files in a folder. They periodically and automatically change. I want to make all of them available to a Docker container. Using a bind mount, I can mount their folder and they will all be accessible. Using secrets, I would have to specify each one in the Docker Compose file, increasing coupling and reducing maintainability. Is there any reason I should choose to go with secrets at the cost of maintainability?

Tags:

2

Answers


  1. 0

    if you are not using swarm, it is of no use to you.

    Docker secrets are only available to swarm services, not to standalone containers.

    using secrets has the following advantages

    Secrets are encrypted during transit and at rest in a Docker swarm.

    you can leverage secrets in docker compose, which bring the secrets features to containers regardless of swarm. docker compose just gives a nice interfacefacede for mounting a secret file and exposing it to the container with a its naming conventions.

    Login or Signup to reply.
  2. 0

    I was thinking the same recently, not wanting to actually use Docker Swarm or running anything distributed. In my case, the starting point was a project using .env containing secrets. If you have a simple Docker Compose project, there is no added value from using Docker secrets managed via docker secret. Note that without actually being a Swarm manager, you cannot even create secrets with docker secret!

    Unbeknownst to many, Docker Compose actually has support for mounting secrets just like Docker Swarm, with the exception that it only works for local files. So this would be a valid Docker Compose config:

    version: "3.9"

services:
   db:
     image: mysql:latest
     volumes:
       - db_data:/var/lib/mysql
     environment:
       MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD_FILE: /run/secrets/db_password
     secrets:
       - db_root_password
       - db_password

   wordpress:
     depends_on:
       - db
     image: wordpress:latest
     ports:
       - "8000:80"
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
     secrets:
       - db_password

secrets:
   db_password:
     file: db_password.txt
   db_root_password:
     file: db_root_password.txt

volumes:
    db_data:

    You don’t really gain a lot of extra security or added value here, apart from the fact that you separate the volumes and other types of configuration (via env) from the secrets, which provides a little bit of extra safeguard against accidentally committing a secret to a repository, or mounting the wrong file to the wrong container, etc.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search