Secure secrets management in Docker containers. Part 1
Secrets in memory
[!NOTE] It is possible to erase secrets from the memory entirely, akin to how SSH does it, but doing so it out-of-scope for this training.
- hard to avoid exposure
- the least-privilege principle is very important to apply
host -> container lateral movement case
- sometimes the attacker has access to the host running the container
- monitoring containers may discourage the attacker to run
docker exec - it is somewhat beneficial to keep secrets in non-swappable memory
Secrets in build arguments, history and docker layers
- temporary files (
docker image inspect myimg | jq '.[0].RootFS.Layers'and viewing the diff) - logging sensitive data
- secrets in
Dockerfile
Secrets in dockerd: argument demo
Automated scanners (dockle/trivy/secretscanner)
[!Note] Most of those can be easily integrated into a CI/CD pipeline.
- regex rules for file contents or paths
- regex rules for libraries coupled with CVE
- “smarter” secret detection
Scanners: dockle demo
refer to: casts/dockle.cast
Scanners: secretscanner demo
Scanners: trivy demo
scans libraries, but wors at scanning secrets
Other external secret management solutions (e.g. Hashicorp Vault/docker secrets)
- benefits of RBAC
- alerts and monitoring
- application integration
- “JIT” secret use
