CODEWITHSUNDEEP
dockerdocker-composeenvironment-variablesfile-security
Michael Gambrell
Michael Gambrell

Reputation: 11

Hiding sensitive information with Docker Compose

Went through a crash course in Docker and Compose to learn how to deploy a small automated application with security in mind. Problem is, I needed to feed the script sensitive values and did not want to hardcode them in. After a lot of research, I settled on Compose and setting my env var's at runtime rather than using the standard Docker build. I also have some JSON files that contain web cookies as a form of login that are passed as volumes. My understanding was that the values would not be visible while inspecting the container. Yet, when I inspect it, they are clearly visible along with the contents of the JSON files. Unless I am the only one that knows how to access the specific container, I am pretty sure that this is NOT a safe option.

From the yaml:

services:
  frontend:
    image: SOME IMAGE
    build: .
    volumes:
      - ./script.py:/app/script.py
      - ./words.txt:/app/words.txt
      - ./.some.json:/app/.some.json
      - ./.another.json:/app/.another.json
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - ./some.env
    container_name: name
volumes:
  .:
    external: true

Why are the values and files clearly visible? I do not want to go the Swarm direction and its SECRETS at this time.

EDIT: this is not being pushed to Hub or a repository, so I am not worried about security in that regard.

Upvotes: 0

Views: 1648

Answers (1)

rzlvmp
rzlvmp

Reputation: 9364

Unless I am the only one that knows how to access the specific container, I am pretty sure that this is NOT a safe option

If someone else knows how to access container he/she will be able to run:

# to get contents of JSON file
docker exec container_name cat /app/.some.json

# to print all env vars inside container
docker exec container_name env

I am pretty sure that this is NOT a safe option

Not safe option is an allowing to control/access server side for unknown persons. Container contents is a last destination, if someone get access to it here is game over and no reasons to hide information

Setting variables and secrets inside ENVs and config files only helps to

  • reuse same code at different configurations/environments without changing itself
  • share code at public places (like GitHub) without leaking sensitive information (I recommend to add all config file paths inside .gitignore)

Also this article may be helpful for you

Upvotes: 3

Related Questions