Secure secrets management in Docker containers. Part 1

Secure secrets management in Docker containers from the offensive point of view. With examples and demo scripts.

schedule a call

[!NOTE] Container breakouts and other misconfigurations aside secret management are out-of-scope of this post.

root@container # cat .env
export AWSJWT="eY..."

Containers: threat model

  • external attacker
  • authenticated access to an application (for some cases)
  • RCE in a docker container
  • access to a single server
  • access to a developer’s workstation

Secrets in files

the most common secret management issue

COPY --chown=container /home/user /home/container
container@1cd133db52a0:/$ cd
container@1cd133db52a0:~$ ls .ssh/
id_rsa  known_hosts

Secrets in files: COPY and ADD from developer workstations

  • build scripts
  • git secrets
  • curl commands
  • credential caches
  • env files

Secrets in files: .xyz_history

  • bashzshfishsh, and other shells
  • .mysql_histfilepsql history files, and other dbs
  • command-line editor or IDE caches
  • can be carried over when creating a container

Secrets in files: simple demo

Secrets in files: other source examples

  • SSH keys
  • local account passwords
  • local service secrets

Secrets in environment variables

[!NOTE] Note that environment variables can be easily leaked by the application itself, not requiring any access to the container.

ENV AWSTOKEN=$secretToken
$ export AUTHT="1122334455667788"

secrets in env: common cases

  • API keys (curl -H "Authentication: $KEY" ...)
  • AWS/Azure/GCP access tokens
  • build environment secrets
  • even passwords (sometimes)

secrets in env: process environments

  • not only env in bash
find /proc -name environ -exec xargs -0 -L1 -a {} \\; 2>/dev/null | sort --uniq

secrets in env: demo

Git secret leaks

Secure secrets management in git from the offensive point of view. With examples and demo scripts. Read more