Docker polices secrets, in Iron Man suit no less

Secrets management can present problems for those working in containerized environments. Storing secrets – API keys, SSH keys, TLS certificates and other sensitive data used for authentication and authorization – within a container image may be the path of least resistance but doing so is insecure. Anyone with access to the container image will have access to the secrets within.

Docker environmental variables represent another option, but not a particularly good one since access to the host provides access to the secrets through the inspect command.

Secrets can be encrypted but that means creating a new Docker image if you want to change your secrets.

A common solution for Docker users involves using third-party secret management software like HashiCorp's Vault or Square's Keywhiz.

Docker, however, wants security to be baked into its containers, just as it recently said it intends to do for storage. On Thursday, the company plans to introduce container-native secrets management through its enterprise product, Docker Datacenter.

Building upon the Swarm cluster secrets management capabilities introduced in its 1.13 release last month, Docker's follow-up release, 1.13.1, makes secrets work with the Compose files, which define services, networks, and volumes.

In conjunction with the version bump, Docker Datacenter can now offer organizations secrets management out of the box.

"We really think this is a dramatic improvement for the security of users," said Nathan McCauley, director of security at Docker, in a phone interview with The Register.

Docker's approach involves an encrypted distributed datastore that's built into its orchestration system. It encrypts secrets at rest in custer managers and delivers them over an encrypted TLS connection when containers are provisioned. Security is maintained by only providing secrets to authorized applications in a container and never saving them to nodes in the cluster, where they might be accessed.

Docker Data Center makes secrets subject to role-based access controls and policies, something enterprises care quite a bit about. It provides control over who can deploy which containers, who can create secrets, and who can start and stop containers.

McCauley said that Docker's goal is to provide security by default and to offer usable tooling that makes sense for developers and operations personnel. "Our position is the right place to solve this is within Docker itself, because it's so critical to get this part of the workflow right," he said.

With proper secrets management, McCauley contends containers can be more secure than running applications in other environments.

"When you take an application and put it in Docker, it's like Tony Stark getting into the Iron Man suit," said McCauley.

In other words, sweaty. ®