Managing Credentials and Passwords in Docker Containers
Understanding Docker Authentication and Credential Management
Docker provides several mechanisms for handling sensitive information such as passwords and authentication tokens. Understanding these mechanisms is essential for maintaining security in containerized environments.
Registry Authentication
When interacting with container registries like Docker Hub or private registries, authentication credentials must be provided. These credentials are typically stored in the Docker client configuration file located at ~/.docker/config.json.
{
"auths": {
"registry.example.com": {
"auth": "c2VjdXJlX3VzZXJuYW1l:YXNkZnNkZnNkZnNkZnNkZnM="
}
}
}
The auth field contains a Base64-encoded string combining the username and password in the format username:password.
Passing Credentials to Containers
Evnironment Variables
The most common approach for passing passwords to applications running inside containers is through environment variables:
docker run -d \
-e DB_PASSWORD="secure_password_here" \
-e API_SECRET="another_secret_value" \
myapplication:latest
Docker Secrets
For production environments, Docker Swarm provides a secrets management feature:
echo "my_secret_password" | docker secret create db_password -
docker service create \
--name database_service \
--secret db_password \
mysql:latest
Kubernetes Secrets
In Kubernetes environments, secrets can be created and mounted as files or environment variables:
apiVersion: v1
kind: Secret
metadata:
name: app-credentials
type: Opaque
data:
username: YWRtaW4=
password: cGFzc3dvcmQxMjM=
---
apiVersion: v1
kind: Pod
metadata:
name: application-pod
spec:
containers:
- name: app-container
image: myapp:latest
env:
- name: DB_USER
valueFrom:
secretKeyRef:
name: app-credentials
key: username
- name: DB_PASS
valueFrom:
secretKeyRef:
name: app-credentials
key: password
Security Best Practices
1. External Secret Management
Integrate with external secret management tools such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault instead of hardcoding credentials in images or configuration files.
2. Image Scanning
Regularly scan Docker images for embedded secrets using tools like Trivy or Clair:
trivy image --security-checks secret myimage:latest
3. Least Privilege
Ensure containers run with non-root users and have minimal required permissions:
FROM node:18-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
COPY --chown=appuser:appgroup . /app
CMD ["node", "app.js"]
4. Rotate Credentials
Implement automated credential rotation procedures. Database passwords, API keys, and tokens should be rotated on a regular schedule.
5. Avoid Layer Caching
Never bake secrets into Docker layers, as they persist in image history:
# Bad practice - secret exposed in layer
FROM alpine
RUN echo "secret_token" > /app/token
# Better approach - runtime injection only
FROM alpine
COPY entrypoint.sh /entrypoint.sh
CMD ["/entrypoint.sh"]
State Diagram: Credential Lifecycle
stateDiagram-v2
[*] --> NoCredentials
NoCredentials --> RotationScheduled: Rotation Policy Set
RotationScheduled --> Rotating: Scheduled Time Reached
Rotating --> ActiveCredentials: New Credentials Applied
ActiveCredentials --> RotationScheduled: Next Rotation Scheduled
ActiveCredentials --> Compromised: Security Alert
Compromised --> Rotating: Emergency Rotation
Implementation Timeline
| Phase | Activity | Duration |
|---|---|---|
| 1 | Audit existing configurations | Week 1 |
| 2 | Implement secret management solution | Week 2-3 |
| 3 | Update container configurations | Week 4 |
| 4 | Deploy and test | Week 5 |
| 5 | Document procedures | Week 6 |
