Docker Datacenter protects app secrets
13 February 2017 | 0
The latest version of Docker Datacenter, the end-to-end container service for enterprises, now solves a common problem with containers: how to store secrets, such as API keys, passwords, encryption keys, in containerised applications without betraying them.
Docker’s solution, Docker Secrets Management, provides a standardised interface for storing and retrieving secrets in containerised apps. It is compatible with both container-native applications and legacy applications that have been containerised.
Safe place for everything
By providing a safe place to store secrets, Docker enhances not only security but convenience. Adding secrets directly to application source code is tough to maintain and highly insecure, whether applications are inside containers or not. It is also convenient to have a single, consistent manner to store and retrieve secrets throughout an organisation. Docker believed these items were the responsibility of the platform provider and set out to address them.
Docker Secrets runs wherever Docker Datacenter runs — in a public cloud, on-premises cloud or bare metal, hybrid cloud, and so on. Secrets are always encrypted when at rest, are only delivered by way of a TLS connection, and are only provided to applications that are authorised to receive them.
When secrets are delivered to an application, they are exposed by what amounts to a virtual file system, so legacy applications that store secrets in a configuration file can make use of the system. That said, secrets are never written to disk unencrypted. In fact, when used by an application, they are not written to disk at all; the virtual file system is functionally similar to a RAM disk.
Secret to share
If you’re running Docker apart from Docker Datacenter, it is still possible to add secrets using the Docker secret command. Docker Secrets does not require you to integrate the secret into a container, which is handy if you are dealing with secrets that change often, such as API keys. Secrets is also intended to be end-to-end secure, so secrets are never exposed in plaintext at any point.
Third-party products such as HashiCorp Vault or Kubernetes’ secrets system can also provide secrets to apps in Docker containers. However, the latter in particular, has shortcomings that Docker Secrets seems aimed at addressing, namely that secret data is stored as plaintext; peer-to-peer communication of secrets is not by default secured with TLS (it is possible to do so, but it is not the default); and secrets can be read too easily by applications they are not intended for.
Docker Secrets is currently designed only to use its own internal store, presumably for the sake of keeping tight control over the delivery chain for secrets. However, in a Hacker News thread devoted to the product, Docker security team member Diogo Mónica noted that support for external stores is in the works, “First implementation will probably be w/Vault, but we would love for this to come from the community.”
IDG News Service