The latest version of Docker Datacenter, Docker’s end-to-end container service for enterprises, now solves a common problem with containers: How to store secrets—API keys, passwords, encryption keys—in containerized apps without betraying those secrets.
Docker's solution, Docker Secrets Management, provides a standardized interface for storing and retrieving secrets in containerized apps. It's compatible with both container-native apps and legacy apps that have been containerized.
A nice, safe place for everything
By providing a safe place to store secrets, Docker enhances enhances not only security but convenience. Adding secrets directly to application source code is tough to maintain and highly insecure, whether your apps are inside containers or not. It’s also convenient to have a single, consistent manner to store and retrieve secrets throughout an organization. Docker believed these items were the responsibility of the platform provider and set out to address them.
Docker Secrets runs wherever Docker Datacenter runs—in a public cloud, on-premises cloud or bare metal, hybrid cloud, and so on. Secrets are always encrypted when at rest, are only delivered by way of a TLS connection, and are only provided to applications that are authorized to receive them.
When secrets are delivered to an app, they’re exposed by what amounts to a virtual file system, so legacy apps that store secrets in a configuration file can make use of the system. That said, secrets are never written to disk unencrypted. In fact, when used by an application, they’re not written to disk at all; the virtual file system is functionally similar to a RAM disk.
Who else has a secret to share?
If you’re running Docker apart from Docker Datacenter, it’s still possible to add secrets using the docker secret command. Docker Secrets doesn’t require you to integrate the secret into a container, which is handy if you're dealing with secrets that change often, such as API keys. Secrets is also intended to be end-to-end secure, so secrets are never exposed in plaintext at any point.
Third-party products like HashiCorp Vault or Kubernetes’ secrets system can also provide secrets to apps in Docker containers. However the latter, in particular, has shortcomings that Docker Secrets seems aimed at addressing, namely that secret data is stored as plaintext; peer-to-peer communication of secrets isn’t by default secured with TLS (it’s possible to do so, but it’s not the default); and secrets can be read too easily by applications they’re not intended for.
Docker Secrets is currently designed only to use its own internal store, presumably for the sake of keeping tight control over the delivery chain for secrets. However, in a Hacker News thread devoted to the product, Docker security team member Diogo Mónica noted that support for external stores is in the works, “First implementation will probably be w/Vault, but we would love for this to come from the community,” Mónica said.