Use of the VOLUME instruction in the Dockerfile without further qualification would stick the sensitive information in /var/lib/docker/volumes/ somewhere (or wherever storage is configured) - which may be insecure behaviour out of the box. The resulting directory would not be guaranteed secure from user access in any way - I'd probably read into the Docker documentation. I also note that Kubernetes and podman may have impacts to this. I'm thinking it better to NOT to declare volumes in the Dockerfile and to enforce a safe location by use of Docker-Compose or requiring more explicit --volume arguments at run time.
Use of the
VOLUME
instruction in theDockerfile
without further qualification would stick the sensitive information in/var/lib/docker/volumes/
somewhere (or wherever storage is configured) - which may be insecure behaviour out of the box. The resulting directory would not be guaranteed secure from user access in any way - I'd probably read into the Docker documentation. I also note that Kubernetes andpodman
may have impacts to this. I'm thinking it better to NOT to declare volumes in theDockerfile
and to enforce a safe location by use ofDocker-Compose
or requiring more explicit--volume
arguments at run time.