How To Use Docker Secrets for Secure Credential Management?

In most of the applications, there are some sensitive data present that should not be visible to everyone for example – passwords, certificates, keys, API tokens, db cred, etc. This sensitive data should also not be stored unencrypted in the applications. All this is where Docker Secrets come into the picture – it is simply a way to store this sensitive data in the containers. It can be used to validate and authenticate users and then give them access to the applications.

Install Docker

Installing docker in Ubuntu is fairly simple. You just need to run these few commands in the terminal:

sudo apt install docker
systemctl start docker
systemctl enable docker

Managing Docker Secrets

To manage Docker Secrets effectively we should know all the following:

1. Overview of Docker Swarm and its role in managing secrets.
2. Differences between managing secrets in standalone Docker and Swarm mode.
3. Enabling Docker Swarm mode for Docker Secrets to work.
4. Good Practices for Docker Secrets.
5. Creating Docker Secrets.
6. Using Docker Secrets.

Overview of Docker Swarm And Its Role In Managing Secrets

Docker Swarm is just an orchestration service like Kubernetes(K8s) which is used to manage multiple Docker daemons together. Multiple Docker hosts which are running in swarm mode and could serve as both managers (to manage membership and delegation) and workers (to run swarm services) make up a swarm. Any node in the same cluster can deploy and access each container within the Swarm. Any of these Docker hosts have the option to act as both a manager and a worker.

Some of the features of Docker Swarm include:

1. Load Balancing: Within our docker swarm environment, there is automatic load balancing, and we can script it in the way we want and arrange the Swarm environment. The swarm manager exposes the services we want to make publicly available to the swarm via ingress load balancing. We can also specify how to distribute between nodes.
2. Decentralization: Docker Engine handles any specialization at runtime rather than handling differences between node roles at deployment time. It allows us to deploy both managers and workers as nodes. Docker Swarm also makes accessing and managing the docker environment very easy and straightforward. 
3. Scalability: The feature of load balancing itself makes swarm mode greatly scalable. In addition, we can also specify how many tasks we desire to perform for each service. The swarm manager automatically adjusts by increasing or decreasing jobs to maintain the appropriate condition when we scale up or down.
4. Security: Swarm mode has very high security. To protect connections between itself and every other node in the swarm, every node in the swarm implements TLS authentication and encryption. We can also choose to employ root certificates that are either self-signed or come from a unique root CA.
5. Rolling back: Swarm also has a feature that lets you roll back to a previous version if there are any issues in the new release.

Differences Between Standalone Docker and Swarm Mode

Docker Standalone containers and Swarm mode both are used in deploying applications but still have some significant differences. Some of them are mentioned below:

• One of the big differences between the two is that Docker Secrets can only work in swarm mode and not standalone containers.
• Another significant difference between the two is that standalone containers can be started on any daemon, and swarms can only be managed by swarm managers. A swarm of Docker daemons can have managers, workers, or both.
• In Docker Swarm mode, it has the ability to change a service’s configuration, including the networks and volumes it is attached to, without having to manually restart the service. When the configuration has to be updated, Docker terminates any service jobs that have outdated configuration and start new ones with the desired configuration.

Clearly, Docker Swarm mode has many added advantages in comparison to Standalone containers and is also needed for secrets. So let us move to enabling swarm mode for the same.

Enabling Docker Swarm mode for Docker Secrets to work

One prerequisite for creating/using Docker secrets is to enable swarm mode since Docker Secrets are only available for swarm services. To verify if swarm mode is enabled or not we can run the following command:

docker info 

If the Swarm mode is inactive, we can enable it by doing the following steps:

Step 1: Check the IP address which is being used by Docker in your system by running this command.

 ifconfig

Step 2: Use the IP address we just found out to initialize the swarm environment i.e., enable swarm mode using this command.

docker swarm init --advertise-addr <IP address>

Step 3: We can confirm it is successfully enabled by checking the output of the docker info command again.

Creating Docker Secrets

Now, since we have swarm mode enabled we can use Docker Secrets and start creating them.

To create a docker secret we can use the docker create secret command as follows:

docker secret create demo_secret vrinda_secret 

One another way of creating a secret if we want to use some file content is as follows:

docker secret create demo_secret /var/lib/secrets/demo_secrets

To list down our created secrets, we can use the ls command as follows:

docker secret ls 

Using Docker Secrets

After creating docker secrets, using them can be done in multiple ways:

1. It could be used with the help of Docker compose in the docker-compose.yml file by adding a key-value pair of “secrets”.
2. It can also be used in the Dockerfile with an environment variable.
3. It is also used in sidecar containers with the help of a different mounted volume.

To discuss the ways in detail

1. To use docker secret with docker-compose.yml we need to specify the name of our secrets within the services block of the yaml file. And further need to specify the path/location/value of the secrets in a separate block in the yaml. A sample code for the above could be this:

version:  '3.4'
services:
  demo_application:
    image: demo_application:latest
    volumes:
       - /var/lib/demo_application
    secrets:
     - demo_secret
secrets:
   demo_secret:
    file: /Desktop/demo_secret.txt

This method ensures that the secrets are only accessible to the services to which access has been explicitly authorized and that secrets live only in memory while that service is active, in contrast to the other methods.

2. To use docker secret with Dockerfile, we need to use the ENV instruction as well as the docker get secret command for retrieving that particular secret. A sample for this could be:

ENV DEMO_SECRET $(docker secret get demo_secret)

Using this method, the secret will be encrypted and stored in the image when we create our Docker image. The secret will be decrypted and made available to the container as an environment variable when the container is started by the Docker daemon.

3. To use docker secret with sidecar containers, we again need to modify the docker-compose.yml file. Here we need to mount a different volume for secrets and specify it in the secrets volumes. Sample for the same would be:

version: '3.4'
services:
  demo_application:
    image: demo_application:latest
    volumes:
       - /var/lib/demo_application
    secrets:
     - demo_secret
    volumes:
      - /var/lib/secrets:/demo_secret
volumes:
  secrets: 

Good Practices for Docker Secrets

Some good practices while using docker secrets:

• Create secrets only for information that is actually sensitive. This basically means not trying to create secrets for every use case and overkill it and only using it for data that should be encrypted.
• Change your secrets frequently. This one is very obvious and like any other password should be changed frequently and should be strong enough.
• Keep an eye out for unauthorized access to secrets in your Docker system. We should manage access to secrets properly as well – the container which does not require access should not have it.
• For secrets, use strong passwords and encryption keys.
• Another good practice is to not add secrets directly to the Docker Compose yaml file. Instead, we can use an environment file and then specify the file path for secrets in the Docker Compose file.
• Minimize or completely avoid logs for secrets. Even for testing applications, avoid logging the secrets directly. Either use masking or try to debug in some other way.

Advantages of Docker Secrets

1. They can store any kind of data if it can be represented in string or binary.
2. They are stored in Docker daemon and are accessible just to the containers that need them and not to all of them.
3. They also offer an abstraction layer between the credentials and the containers.
4. This makes our application code separate from our configurations
5. They also follow the Principle of Least Privileges (PoLP) which ensures users/containers have limited access to specific data in this case to secrets
6. The only limitation for storing data using Docker Secrets is the maximum size that is allowed i.e., 500KB.

Conclusion

In conclusion, we see that any containerized apps need to use secret management provided by Docker carefully. Docker Secrets has many benefits and comes with a mechanism to store sensitive data safely and also separate our code and config. We should just be able to utilize its functionality in an optimum way by following the best practices.