Blog

Secure secrets management in Docker containers. Part 2

Secure secrets management in Docker containers from the offensive point of view. Secrets in memory. Secrets in build arguments

schedule a call

Secure secrets management in Docker containers. Part 1

Secrets in memory

[!NOTE] It is possible to erase secrets from the memory entirely, akin to how SSH does it, but doing so it out-of-scope for this training.

  • hard to avoid exposure
  • the least-privilege principle is very important to apply

host -> container lateral movement case

  • sometimes the attacker has access to the host running the container
  • monitoring containers may discourage the attacker to run docker exec
  • it is somewhat beneficial to keep secrets in non-swappable memory

Secrets in build arguments, history and docker layers

  • temporary files (docker image inspect myimg | jq '.[0].RootFS.Layers' and viewing the diff)
  • logging sensitive data
  • secrets in Dockerfile

Secrets in dockerd: argument demo


Automated scanners (dockle/trivy/secretscanner)

[!Note] Most of those can be easily integrated into a CI/CD pipeline.

  • regex rules for file contents or paths
  • regex rules for libraries coupled with CVE
  • “smarter” secret detection

Scanners: dockle demo

refer to: casts/dockle.cast


Scanners: secretscanner demo


Scanners: trivy demo

scans libraries, but wors at scanning secrets


Other external secret management solutions (e.g. Hashicorp Vault/docker secrets)

  • benefits of RBAC
  • alerts and monitoring
  • application integration
  • “JIT” secret use