How to set up secure credential storage for Docker

Learn how to avoid saving your Docker login credentials in plain text by creating an encrypted credential storage.

As a container developer, there are times when you must store credentials for an application or service. This is especially true if you use Docker in such a way that it requires you to log in to a repository. If you use Docker out of the box, those login credentials are stored in plain text. This is clearly a security issue you need to avoid.

What can you do? 

Fortunately, there's a way you can secure those passwords. It's not quite a simple process, but it's not overly challenging either.

I want to walk you through the process of enabling secure credential storage in Docker. I'll be demonstrating on Ubuntu Server 18.04, but the platform doesn't matter, so long as it supports the Docker container engine.

SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)

What you'll need

The only things you'll need to make this work are:

  • A running instance of Docker

  • A user with sudo privileges

Installation, entropy, and keys

Before we get to the securing process, we need to install a tool that will help to generate entropy. We have to do this because we're on a headless server platform. If you are going to be working through this tutorial on a desktop distribution, you won't have to install this tool, as you can generate enough entropy for the GPG key by moving windows around and typing on the desktop. 

Without a GUI, you need to install rng-tools with the command:

sudo apt-get install rng-tools -y

Once the installation completes, generate the required entropy with the command:

sudo rngd -r /dev/urandom

Next, install the pass tool with the command:

sudo apt-get install pass -y

Now we can generate a new GPG key with the command:

gpg --full-generate-key

Answer the following questions for the key:

  • The type of key (select the default)

  • Key size (select default)

  • Key validity (select default)

Save the values by typing y.

Next, type the name, email address, an optional comment, and then type O to save the key. You will finally be required to enter a new passphrase for the key.

How to set up credential storage

It's now time to set up the secure credential storage. Here are the steps to do just that:

  1. Create a new directory with the command mkdir ~/bin.
  2. Change into that newly created directory with the command cd ~/bin.
  3. Add the directory to your path with the command echo 'export PATH=$PATH:~/bin' >> ~/.bashrc.
  4. Download docker-credential-pass with the command wget
  5. Untar the downloaded file with the command tar xvzf docker-credential-pass-v0.6.3-amd64.tar.gz.
  6. Give the new file the proper permissions with the command chmod a+x docker-credential-pass.
  7. Copy the executable with the command sudo cp docker-credential-pass /usr/local/bin.

With the installation of docker-credential-helpers taken care of, log out and log back in to the server and then create a new directory with the command:

mkdir ~/.docker

Next you must initialize the pass tool. To do this, locate your GPG ID with the command:

gpg --list-secret-keys

Locate the ID associated with the key you want to use and then initialize pass with the command:

pass init STRING

Where STRING is the GPG key ID you want associated with the credential storage.

Now we'll create a password for the credential storage with the command:

pass insert docker-credential-helpers/docker-pass-initialized-check

Once your password is generated, create a new configuration file with the command:

sudo nano ~/.docker/config.json

Add the following content to the new file:

"experimental": "enabled"

Save and close the file. 

How to log in to Docker

Finally, you can now log in to Docker with the command:

docker login

After logging in, your docker credentials will be saved in the encrypted storage and won't appear as plain text in the ~/.docker/config.json file. Enjoy that added layer of security for your Docker deployments.

Also see


Image: Jack Wallen