{"id":296757,"date":"2021-07-12T15:14:36","date_gmt":"2021-07-12T12:14:36","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-secure-sensitive-data-with-docker-compose-secrets-cloudsavvy-it\/"},"modified":"2021-07-12T15:14:36","modified_gmt":"2021-07-12T12:14:36","slug":"how-to-secure-sensitive-data-with-docker-compose-secrets-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-secure-sensitive-data-with-docker-compose-secrets-cloudsavvy-it\/","title":{"rendered":"#How to Secure Sensitive Data With Docker Compose Secrets \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a26baeb7062d\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a26baeb7062d\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-secure-sensitive-data-with-docker-compose-secrets-cloudsavvy-it\/#How_Do_Secrets_Work\" >How Do Secrets Work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-secure-sensitive-data-with-docker-compose-secrets-cloudsavvy-it\/#Defining_Secrets_in_Compose_Files\" >Defining Secrets in Compose Files<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-secure-sensitive-data-with-docker-compose-secrets-cloudsavvy-it\/#Using_Existing_Docker_Secrets\" >Using Existing Docker Secrets<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-secure-sensitive-data-with-docker-compose-secrets-cloudsavvy-it\/#Extended_Secret_Syntax\" >Extended Secret Syntax<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-secure-sensitive-data-with-docker-compose-secrets-cloudsavvy-it\/#Secrets_and_Image_Authorship\" >Secrets and Image Authorship<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-secure-sensitive-data-with-docker-compose-secrets-cloudsavvy-it\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Secure Sensitive Data With Docker Compose Secrets \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage aligncenter size-full wp-image-10864\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/04\/075c8694.jpeg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Illustration showing the Docker logo\" width=\"1600\" height=\"900\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Safe secret management is an important aspect of container security. If you\u2019re injecting passwords and API keys as environment variables, you risk unintentional information exposure. Shell variables are often logged, passed down to child processes, or leaked to error reporting services without your knowledge.<\/p>\n<p>Injecting values as dedicated secrets mitigates these risks. Docker has built-in support for <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.docker.com\/engine\/swarm\/secrets\">secure secret management<\/a> which you can hook into with Docker Compose. Access to secrets is granted on a per-service basis.<\/p>\n<h2 id=\"how-do-secrets-work\"><span class=\"ez-toc-section\" id=\"How_Do_Secrets_Work\"><\/span>How Do Secrets Work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Docker CLI has a batch of <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.docker.com\/engine\/swarm\/secrets\">secret management commands<\/a> but these only work with Swarm clusters. You can\u2019t add secrets to standalone containers using the Docker CLI alone.<\/p>\n<p>Docker Compose added <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/docker\/compose\/pull\/4368\">\u201cfake\u201d secrets<\/a> to bring these capabilities to workloads without a cluster. Compose\u2019s implementation functions similarly to the Docker Swarm features and works with any Compose file.<\/p>\n<p>Secrets are created as regular text files which are bind mounted into your containers. Your <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication accesses the secret\u2019s value by reading the file\u2019s contents. This model lets values stay inert until they\u2019re explicitly used within your container, unlike permanently visible environment variables.<\/p>\n<h2 id=\"defining-secrets-in-compose-files\"><span class=\"ez-toc-section\" id=\"Defining_Secrets_in_Compose_Files\"><\/span>Defining Secrets in Compose Files<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Getting a secret into a container is a two-step process. First you need to define the secret, using the top-level <code>secrets<\/code> field in your Compose file. Then you update your service definitions to reference the secrets they require.<\/p>\n<p>Here\u2019s an example that uses secrets to safely supply a password to a service:<\/p>\n<pre class=\"yaml\">version: \"3\"&#13;\nservices:&#13;\n  app:&#13;\n    image: example-app:latest&#13;\n    secrets:&#13;\n      - db_password&#13;\nsecrets:&#13;\n    db_password:&#13;\n      file: .\/db_password.txt<\/pre>\n<p>The secret\u2019s value will be read from your working directory\u2019s <code>db_password.txt<\/code> file when you run <code>docker-compose up<\/code>. Compose will mount the file to <code>\/run\/secrets\/db_password<\/code> within the container. Your app can access the database password by reading the contents of the secret file.<\/p>\n<h2 id=\"using-existing-docker-secrets\"><span class=\"ez-toc-section\" id=\"Using_Existing_Docker_Secrets\"><\/span>Using Existing Docker Secrets<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Beyond file-based secrets, Compose also lets you reference existing Docker Swarm secrets. If you use this mechanism, you must create the secrets in Docker <em>before<\/em> you run <code>docker-compose up<\/code>. The <code>docker secrets<\/code> command space will only work when your active Docker endpoint is a Swarm manager node.<\/p>\n<p>Create the secret using the Docker CLI:<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><span class=\"co1\"># take value from standard input<\/span>\necho P@55w0rd | docker secret create db_password -\n\u00a0\nOR \n\u00a0\n<span class=\"co1\"># take value from a file<\/span>\ndocker secret create db_password .\/db_password.txt<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Now update your Docker Compose file to reference the secret:<\/p>\n<pre class=\"yaml\" escaped=\"true\">version: \"3\"&#13;\nservices:&#13;\n  app:&#13;\n    image: example-app:latest&#13;\n    secrets:&#13;\n      - db_password&#13;\nsecrets:&#13;\n    db_password:&#13;\n      external: true<\/pre>\n<p>Setting the secret\u2019s <code>external<\/code> field instructs Compose to source its value from your existing Docker secrets. The stack will fail with an error if you try to start it before the secret exists.<\/p>\n<h2 id=\"extended-secret-syntax\"><span class=\"ez-toc-section\" id=\"Extended_Secret_Syntax\"><\/span>Extended Secret Syntax<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Compose supports a longer secrets syntax if you need more granular control over the injection process. Switching to this syntax lets you customize file permissions and change the secret\u2019s mounted name.<\/p>\n<p>Five optional fields are available:<\/p>\n<ul>\n<li><strong><code>source<\/code><\/strong> \u2013 The name of the secret to reference \u2013 this must be one of the values defined in your Compose file\u2019s <code>secrets<\/code> section.<\/li>\n<li><strong><code>target<\/code><\/strong> \u2013 Filename to use when the secret is mounted into the container.<\/li>\n<li><strong><code>uid<\/code><\/strong> \u2013 UID to set on the mounted secret file. Defaults to 0.<\/li>\n<li><strong><code>gid<\/code><\/strong> \u2013 GID to set on the mounted secret file. Defaults to 0.<\/li>\n<li><strong><code>mode<\/code><\/strong> \u2013 Filesystem permissions to apply to the mounted secret file, expressed in octal notation. This defaults to 0444. Beware that secret files are never writable as they\u2019re always mounted into a container\u2019s temporary filesystem.<\/li>\n<\/ul>\n<p>Here\u2019s a modified example which renames the mounted secret file and changes its permissions:<\/p>\n<pre class=\"yaml\">version: \"3\"&#13;\nservices:&#13;\n  app:&#13;\n    image: example-app:latest&#13;\n    secrets:&#13;\n      - source: db_password&#13;\n        target: database_password_secret&#13;\n        mode: 0440&#13;\nsecrets:&#13;\n    db_password:&#13;\n      external: true<\/pre>\n<p>The simple syntax is usually sufficient for most deployments. If you\u2019ve got more specific requirements, the extended version should give you the control you need. Individual secret references can mix and match the two syntaxes within the same Compose file.<\/p>\n<h2 id=\"secrets-and-image-authorship\"><span class=\"ez-toc-section\" id=\"Secrets_and_Image_Authorship\"><\/span>Secrets and Image Authorship<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Many popular community Docker images now support secrets instead of environment variables. As an image author, offering secrets is a best practice approach to protecting your users\u2019 data.<\/p>\n<p>You can support both mechanisms by allowing environment variables to be set to a file path. If your image needs a database connection, let users set the <code>DB_PASSWORD<\/code> environment variable to either <code>P@55w0rd<\/code> or <code>\/run\/secrets\/db_password<\/code>. Your container should check whether the variable\u2019s value references a valid file; if it does, discard it and read the final value out of the file.<\/p>\n<p>This model gives users the flexibility to choose the most appropriate mechanism for their deployment. Remember that not all users will be able to adopt secrets \u2013 if Swarm and Compose are both unavailable, they\u2019ll have no way of supplying their values.<\/p>\n<h2 id=\"conclusion\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Using secrets instead of regular environment variables reduces the risks of unintentional information disclosure. Imagine a worst case scenario where a container sent its environment variables to a compromised third-party logging service. Attackers now have your database password and API keys.<\/p>\n<p>By restricting secret data to filesystem access, values can\u2019t be inadvertently read as they\u2019re not a perpetual feature of your environment. Remember that secret files carry their own risks though. You may be tempted to commit them into source control, which would mean anyone with access to your repository could read their values.<\/p>\n<p>Secrets should be \u201csecret\u201d throughout your container\u2019s lifecycle. For production deployments, it\u2019s usually best to automate builds with a CI system. Set your secrets in your CI provider\u2019s pipeline settings, then use your build script to write them out to files which Compose can access. This ensures only you have access to the actual values, via your CI tool\u2019s interface.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/12631\/how-to-secure-sensitive-data-with-docker-compose-secrets\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Secure Sensitive Data With Docker Compose Secrets \u2013 CloudSavvy IT&#8221; Safe secret management is an important aspect of container security. If you\u2019re injecting passwords and API keys as environment variables, you risk unintentional information exposure. Shell variables are often logged, passed down to child processes, or leaked to error reporting services without your&#8230;<\/p>\n","protected":false},"author":1,"featured_media":296758,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/04\/075c8694.jpeg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-296757","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/296757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=296757"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/296757\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/296758"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=296757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=296757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=296757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}