skip to Main Content

From what I understand, Docker secrets and mounts (bind and volume) are all secure ways of managing secrets within a Docker container. I am wondering whether secrets has any security advantages?

I have an arbitrarily sized group of secrets. The secrets are kept in separate files in a folder. They periodically and automatically change. I want to make all of them available to a Docker container. Using a bind mount, I can mount their folder and they will all be accessible. Using secrets, I would have to specify each one in the Docker Compose file, increasing coupling and reducing maintainability. Is there any reason I should choose to go with secrets at the cost of maintainability?

2

Answers


  1. if you are not using swarm, it is of no use to you.

    Docker secrets are only available to swarm services, not to standalone containers.

    using secrets has the following advantages

    Secrets are encrypted during transit and at rest in a Docker swarm.

    you can leverage secrets in docker compose, which bring the secrets features to containers regardless of swarm. docker compose just gives a nice interfacefacede for mounting a secret file and exposing it to the container with a its naming conventions.

    Login or Signup to reply.
  2. I was thinking the same recently, not wanting to actually use Docker Swarm or running anything distributed. In my case, the starting point was a project using .env containing secrets. If you have a simple Docker Compose project, there is no added value from using Docker secrets managed via docker secret. Note that without actually being a Swarm manager, you cannot even create secrets with docker secret!

    Unbeknownst to many, Docker Compose actually has support for mounting secrets just like Docker Swarm, with the exception that it only works for local files. So this would be a valid Docker Compose config:

    version: "3.9"
    
    services:
       db:
         image: mysql:latest
         volumes:
           - db_data:/var/lib/mysql
         environment:
           MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
           MYSQL_DATABASE: wordpress
           MYSQL_USER: wordpress
           MYSQL_PASSWORD_FILE: /run/secrets/db_password
         secrets:
           - db_root_password
           - db_password
    
       wordpress:
         depends_on:
           - db
         image: wordpress:latest
         ports:
           - "8000:80"
         environment:
           WORDPRESS_DB_HOST: db:3306
           WORDPRESS_DB_USER: wordpress
           WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
         secrets:
           - db_password
    
    secrets:
       db_password:
         file: db_password.txt
       db_root_password:
         file: db_root_password.txt
    
    volumes:
        db_data:
    

    You don’t really gain a lot of extra security or added value here, apart from the fact that you separate the volumes and other types of configuration (via env) from the secrets, which provides a little bit of extra safeguard against accidentally committing a secret to a repository, or mounting the wrong file to the wrong container, etc.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search