Envelope with top secret stamp and blank papers.
Image: elnavegante/Adobe Stock

Within the realm of containers, secrets are assets such as SSH keys, SSL certificates and passwords that are used to connect to services such as cloud accounts, APIs and other containers. Secrets can be used to manage this sensitive data required by containers at runtime. The problem is that you do not want to store those secrets within the image or in your source, because that can lead to serious security issues.

Imagine, if you will, some nefarious user hacks into your Docker Swarm and then views those passwords or certificates to gain access to your accounts. That will not do.

To avoid such a scenario, you should consider using secrets. Instead of those passwords being stored within containers and images, you create the secret with Docker, which is encrypted, and then you can pass the secret to your containers, so they are never seen as plain text. With this system, it’s harder for cybercriminals to use those secrets against you.

I’m going to show you how to create a secret with Docker and then how to use it to deploy a Docker service.

SEE: Hiring kit: Back-end Developer (TechRepublic Premium)

What you’ll need

To make this work, you will need a running instance of Docker. It doesn’t matter if that’s a single instance running on Linux, macOS or Windows, or a full Docker Swarm cluster. That’s all you need. Let’s share some secrets.

How to create a secret

The first thing we’ll do is create our secret. We’ll use the printf command and pipe the output of that to the docker command to create a secret called my_test_secret. To do this, log into your Docker controller and issue the command:

printf "This is my super secret secret" | docker secret create my_test_secret -

You can verify if the secret was successfully created by listing all of your current secrets with the command:

docker secret ls

You should see a listing like this:

ttx3h2zarswj4wxgum5heobfx   my_test_secret   4 seconds ago 4 seconds ago

How to create a service that uses the secret

What we’ll do now is create a Redis service that has full access to the secret. The nice thing about this is that the actual container won’t save the secret internally, but can use it via the docker secrets mechanism.

To deploy that service, using the my_test_secret secret, the command looks something like this:

docker service  create --name redis --secret my_test_secret redis:alpine

Verify the service is running with the command:

docker service ps redis

You should see a listing that looks like this:

0z6v0js2hu5q   redis.1   redis:alpine   dockernode1   Running     Running 34 seconds ago

Verify the service has access to the secret with the command:

docker container exec $(docker ps --filter name=redis -q) ls -l /run/secrets

You should see something like this in the output:

-r--r--r-- 1 root root        17 May 24 13:16 my_test_secret

Finally, you can view the contents of the secret with the command:

docker container exec $(docker ps --filter name=redis -q) cat /run/secrets/my_test_secret

The output should look something like this:

This is my super secret secret

Now, if you commit the container, the secret is no longer available. Do that with the command:

docker commit $(docker ps --filter name=redis -q) committed_redis

Verify the secret is no longer available with the command:

docker run --rm -it committed_redis cat /run/secrets/my_test_secret

You should see in the output, something like this:

cat: can't open '/run/secrets/my_test_secret': No such file or directory

failed to resize tty, using default size

You can then remove access to the secret with the command:

docker service update --secret-rm my_test_secret redis

And that, my friends, is how you create a secret in Docker and use it within a service.

How to learn more about Docker

If you want to learn more about Docker, don’t miss these resources in the TechRepublic Academy:

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.