Specifying all your sensitive information (eg, API keys) in the .env file, /etc/environment, or docker-compose.yml file can be a security risk.
This is exactly why Docker secrets was introduced: to manage sensitive data.
Implementing Docker secrets for your stack is a multistep process.
A. Create Secrets Folder
First, create a secrets folder inside the docker root folder.
As a docker docker best practice, secrets folder must be owned by root
Docker Secrets Folder Permissions
Set permissions of this folder to 600, owned by the user root and group root.
This makes this folder accessible only to the root user, adding a layer of security while accessing sensitive information.
B. Create Secret Files
Next, you will have to put your sensitive information in a file. As an example, let us define a secret for Cloudflare account email.
Let's create a file inside the secrets folder with the name cloudflare_email. Remember that you will need root permissions to create the file. On my Ubuntu system, I use:
sudo su
followed by:
nano cloudflare_email
You could use any other text editor.
In the file, the only thing that needs to be added is your Cloudflare account email, as can be seen in my GitHub Repo.
Save and exit.
C. Define Secrets in Docker Compose File
Now that the Docker secret is created, let define it in the Docker compose file. This is done using the secrets: block.
The example below shows two secrets: cloudflare_email and cloudflare_api_key.
$SECRETSDIR is the environmental variable that contains the path to Docker secrets folder. You can set this up as explained in my Docker Traefik 2 guide.
More examples are shown in my GitHub Repo.
D. Use the Secrets in Docker Services
Once defined globally, we can use the secrets in the docker-compose snippets for individual services. Since we added Cloudflare account details as Docker secrets, let us see how to use them in the docker-compose snippet for Traefik.
First, we have to make the secrets available inside the Traefik container. To do this, you have to add the following block to the docker-compose snippet for Traefik:
secrets:
- cloudflare_email
- cloudflare_api_key
What this does is that it makes the secret file available at /run/secrets folder inside the container.
Next, we can set the environment variables to read sensitive data from these secret files using the environment: block, as shown below:
Notice that the environmental variables now have _FILE appended at the end. Don't miss this or it won't work.
Save and recreate the service (in this case Traefik) and check the logs for any errors. If Traefik is unable to read the secrets correctly, you will see it as an error in the logs.
In order for Docker secrets to work properly, the container's base image must support it. If the image is a reputed/trusted image, the chances are very high that the developers have implemented Docker security best practices, including Docker secrets.
I have moved pretty much all my sensitive information to Docker secrets.
jgwehr
commented
2 years ago
All below is from: https://www.smarthomebeginner.com/traefik-docker-security-best-practices/#8_Use_Docker_Secrets
Use Docker Secrets
Specifying all your sensitive information (eg, API keys) in the .env file, /etc/environment, or docker-compose.yml file can be a security risk.
This is exactly why Docker secrets was introduced: to manage sensitive data.
Implementing Docker secrets for your stack is a multistep process. A. Create Secrets Folder
First, create a secrets folder inside the docker root folder. As a docker docker best practice, secrets folder must be owned by root Docker Secrets Folder Permissions
Set permissions of this folder to 600, owned by the user root and group root.
sudo chown root:root ~/docker/secrets sudo chmod 600 ~/docker/secrets
This makes this folder accessible only to the root user, adding a layer of security while accessing sensitive information. B. Create Secret Files
Next, you will have to put your sensitive information in a file. As an example, let us define a secret for Cloudflare account email.
Let's create a file inside the secrets folder with the name cloudflare_email. Remember that you will need root permissions to create the file. On my Ubuntu system, I use:
sudo su
followed by:
nano cloudflare_email
You could use any other text editor.
In the file, the only thing that needs to be added is your Cloudflare account email, as can be seen in my GitHub Repo.
Save and exit. C. Define Secrets in Docker Compose File
Now that the Docker secret is created, let define it in the Docker compose file. This is done using the secrets: block.
The example below shows two secrets: cloudflare_email and cloudflare_api_key.
########################### SECRETS secrets: cloudflare_email: file: $SECRETSDIR/cloudflare_email cloudflare_api_key: file: $SECRETSDIR/cloudflare_api_key
$SECRETSDIR is the environmental variable that contains the path to Docker secrets folder. You can set this up as explained in my Docker Traefik 2 guide.
More examples are shown in my GitHub Repo. D. Use the Secrets in Docker Services
Once defined globally, we can use the secrets in the docker-compose snippets for individual services. Since we added Cloudflare account details as Docker secrets, let us see how to use them in the docker-compose snippet for Traefik.
First, we have to make the secrets available inside the Traefik container. To do this, you have to add the following block to the docker-compose snippet for Traefik:
What this does is that it makes the secret file available at /run/secrets folder inside the container.
Next, we can set the environment variables to read sensitive data from these secret files using the environment: block, as shown below:
Notice that the environmental variables now have _FILE appended at the end. Don't miss this or it won't work.
Save and recreate the service (in this case Traefik) and check the logs for any errors. If Traefik is unable to read the secrets correctly, you will see it as an error in the logs. In order for Docker secrets to work properly, the container's base image must support it. If the image is a reputed/trusted image, the chances are very high that the developers have implemented Docker security best practices, including Docker secrets.
I have moved pretty much all my sensitive information to Docker secrets.