I am a junior DE at my first job and have to work a lot with Docker. I have a CI/CD setup made by other team and part of it is a Dockerfile that takes ARGs, some of them with sensitive data (e.g. password).
While I have a general understanding of Docker, I was wondering what is the best practice for inserting sensitive data (e.g. password) into Dockerfile arguments? E.g. I have "ARG CONDA_PASSWORD" that should take password stored locally in a text file. What's the best practice to insert my local password and login into the Dockerfile arguments? Those credentials (login, password) are needed for authorisation at the next steps of pipeline.
Couldn't find any definite answer in Docker documentation or online. My initial idea was to set them in .bashrc and have setup as environmental variables (export CONDA_USER=...), but I am not sure about safety of such solution. Thanks for help!
Related
I am trying to pull images from the same Artifactory repo using 2 different access tokens. This is because one image is available to one user, and another one is accessible by another user.
I tried using docker login, but I can login only once to a repo. Is there a way to specify in the docker-compose.yml file a user and token that Compose should use in order to pull the image?
The docker-compose file specification does not support providing credentials per service / image.
But putting this technicality aside, the described use case clearly indicates there is a user who needs access to both images...
My docker build requires a .env-local file for local development. I keep some env vars there, which are defined also in online environment. One of those values is... a password :) This is my personal password for some API usage. I don't want anyone to see it!
The .env-local file is git-ignored, so there's hardly a chance that I would accidentally push it. However the password is written in plain text, so there's a chance that while screen sharing or just cooperating with my repo open, someone sees the inside of my .env-local.
How can I store the password more securely? It's not about 100% ultra secure method, but I just don't want someone to see my password by accident...
I am currently facing an issue and cannot find a proper answer on internet.
In my jenkins directory I have a file with a lot of confidentials data such as username and passwords. I need to encrypt it and be able to use these data inside a pipeline.
I was thinking of encrypting it and add the key inside jenkins credential but I am not sure if it is a good idea or not.
Do you have ideas about how I can perform this operation in the most secure way ?
Thank you in advance for your answer !
I have a dockerfile where I am trying to copy everything in Github to dockerfile and build it as an image. I have a file called config.json which contains sensitive user data such as username and password. This will also be copied. The issue here is, I want this data to be encrypted and passed onto the dockerfile. While the image is being deployed onto kubernetes, I want this data to be decrypted back again. Can anyone please suggest an ideal method of doing this.
You shouldn't put this in the container image at all. Use a tool like Sealed Secrets, Lockbox, or sops-operator to encrypt the values separately, and then those get decrypted into a Secret object in Kubernetes which you can mount into your container as a volume so the software sees the same config.json file but it's stored externally.
As other people have mentioned the technically correct way to do this is to treat secrets like ordinary config and have something external to the container doing the secret-fu to keep everything safe.
However sometimes you may be in a situation in which the the technically correct thing is not the practically correct thing and you need to deploy config and/or secrets in your artifact/docker image.
If you just need to encrypt a single file, generating a key and doing symmetric encryption using a tool like gpg may be the easiest way to go about doing this.
If you are encrypting many files or encrypting them frequently it may make sense to use asymmetric encryption to do so. In this case, PKCS7/cms may make sense and the openssl binary conveniently has a cms subcommand for encrypting and decrypting CMS content.
I use Heroku to deploy a Rails app. I store sensitive data such as API keys and passwords in Heroku's environment variables, and then use the data in rake tasks that utilize various APIs.
I am just wondering how secure Heroku's environmental variables are? Is there a way to hash these variables while retaining the ability to use them in the background somehow?
I came across a previous thread here: Is it secure to store passwords as environment variables (rather than as plain text) in config files?.
But it doesn't quite cover instances when I still need to unhashed password to perform important background tasks.
Several things (mostly my opinion):
--
1. API Key != Password
When you talk about API Keys, you're talking about a public token which is generally already very secure. The nature of API's nowadays is they need some sort of prior authentication (either at app or user level) to create a more robust level of security.
I would firstly ensure what type of data you're storing in the ENV variables. If it's pure passwords (for email etc), perhaps consider migrating your setup to one of the cloud providers (SendGrid / Mandrill etc), allowing you to use only API keys
The beauty of API keys is they can be changed whilst not affecting the base account, as well as limiting interactivity to the constrains of the API. Passwords affect the base account
--
2. ENV Vars are OS-level
They are part of the operating environment in which a process runs.
For example, a running process can query the value of the TEMP
environment variable to discover a suitable location to store
temporary files, or the HOME or USERPROFILE variable to find the
directory structure owned by the user running the process.
You must remember Environment Variables basically mean you store the data in the environment you're operating. The generally means the "OS", but can be the virtual instance of an OS too, if required.
The bottom line is your ENV vars are present in the core of your server. The same way as text files would be sitting in a directory on the hard drive - Environment Variables reside in the core of the OS
Unless you received a hack to the server itself, it would be very difficult to get the ENV variable data pro-grammatically, at least in my experience.
What are you looking for? Security against who or what?
Every piece of information store in a config file or the ENV is readable to everyone who has access to the server. And even more important, every gem can read the information and send it somewhere.
You can not encrypt the information, because then you need to store the key to decrypt somewhere. Same problem.
IMO both – environment variables and config files – are secure as long you can trust everyone that has access to your servers and you carefully reviewed the source code of all libraries and gems you have bundled with your app.