Docker Seeking to Help Users Keep Their Secrets Secure

by Paul Rubens

Docker is upping its security game with the introduction in Docker 1.13.1 of its own container-native secrets management system to manage -- not surprisingly -- secrets.

Docker received quite a bit of criticism back in the day for not paying enough attention to security — rightly or wrongly. CoreOS CEO even went so far as to call Docker's security model "broken."

But in the last year or so Docker has upped its game, introducing image signing and verification, image scanning, and much more when it comes to container security.

Now Docker is upping its game to yet another level with the introduction of its own container-native secrets management system to manage — not surprisingly — secrets: items like API tokens and encryption keys that apps need but have to keep secure and confidential.Virtually Speaking

Why the need for such a system now? Nathan McCauley, Docker's director of security, explained to Virtually Speakingthat many existing secrets management solutions have been designed for static environments, and are not suitable for a Docker environment because containers are ephemeral and move around across distributed systems.

"Lots of organizations are doing transitions from the data center to the cloud and so on," he said. "You need a common security model that works anywhere, not one that is dependent on certain hardware or on a particular cloud provider's properties. If you can get that, then that's a big win."

McCauley added that other so-called solutions to dealing with secrets with containers include developers embedding secrets in source code (which in the worst case may get open-sourced and put on GitHub or somewhere similar for all the world to see.) There are other solutions that may do a good job, but Docker has decided it's time for an official Docker solution.

So, McCauley says, Docker has come up with a solution with two overarching principals: that apps are safer when there is a standardized interface for accessing secrets (i.e. reduce complexity and keep it simple, stupid) and that apps are safest when secrets are not stored in the app itself (so that different secrets can be used in development, testing and staging, and finally operational secrets can be used when the application finally goes live.)

A Closer Look at How Docker's Secrets Management System Operates

So here's how the container secrets management system in Docker works. Manager nodes in a Docker Datacenter architecture have access to an internal distributed store containing application secrets, and these are stored in encrypted form. (The keys either reside on the host or externally according to preference.)

When an instance of a containerized app is started up on a worker node, the secrets are sent with it (over TLS). McCauley says these secrets can only be delivered to the app that owns them, and are available to containers only in memory (i.e. they are never saved to disk).

This means that, as long as container isolation doesn't break down, they remain accessible only to the apps that own them. The containerized apps can then use their secrets to connect to internal applications or apps external to the Docker swarm.

(He adds that although the secrets are in memory, they can be read by files. That's important as it means legacy apps can plug into Docker's secrets manager without any changes to the underlying code — because all apps can read secrets through files.)

Container Secrets Management System Built into Docker Compose

In terms of using the new secrets management functionality, it's been built into Compose so devs can define secrets as they go.

Ops can then deploy Compose files with no code changes, and swap out dev and test secrets with the real things. There's also a secrets API so ops can load existing secrets into a cluster. And of course access control is provided so only authorized people can get their hands on, and change, secrets.

So how do you access the new secrets management solution? The answer to that is it's built into Docker Datacenter as part of the latest version of Docker, version 1.13.1, released on February 9.

Until the world at large has had a chance to get their hands on the new Docker 1.13.1 release and put the secrets handling through its paces, it's impossible to say how good (or otherwise) it is.

But it sounds quite promising, and shows that Docker continues to be more serious about security now than some people portrayed them to be in the past.

Paul Rubens is a technology journalist and contributor to ServerWatch, EnterpriseNetworkingPlanet and EnterpriseMobileToday. He has also covered technology for international newspapers and magazines including The Economist and The Financial Times since 1991.

Follow ServerWatch on Twitter and on Facebook

This article was originally published on Wednesday Mar 22nd 2017
Mobile Site | Full Site