Easily Secure Docker Secrets with Keeper Secrets Manager

Secrets management is an integral part of container security. Application code frequently depends on infrastructure secrets, such as API keys, passwords, and access tokens. Too often, developers and DevOps personnel hard-code these secrets into container images or inject them as environment variables. Both of these methods leave secrets vulnerable to compromise. Additionally, hardcoding secrets couples the secrets management process with the development process, which means that changing or rotating a secret requires refactoring and redeploying the code.

While the Docker CLI includes secret management commands, they work only with Swarm clusters, not standalone containers. To get around this restriction, users can define secrets in a Docker Compose file via the top-level secrets field. However, this requires admins to store secrets in config (i.e., regular text) files, which are bind-mounted into their containers and read by applications. If these files are committed into source control, anyone with access to the repository can access them.

In addition to being insecure, storing Docker secrets in text files contributes to secrets sprawl, a scenario where infrastructure secrets are stored all over the network, in no particular order. This may not seem like a big deal when an organization has a relatively low number of secrets, but as companies grow, infrastructure secrets multiply exponentially. For example, SSH keys alone can easily number in the thousands.

Secure Docker Secrets Without Swarm – or Sprawl

Keeper Secrets Manager (KSM), the first and only cloud-based, zero-trust, zero-knowledge solution for securing infrastructure secrets, enables developers and DevOps personnel to easily secure Docker secrets, along with all other infrastructure secrets, enhancing container security while eliminating secrets sprawl across the entire data environment.

KSM offers developers and DevOps teams three primary methods to secure Docker secrets.

1. Build an Image with Secrets using BuildKit

Using Docker BuildKit, secrets from the Keeper Vault can be built into a Docker container. As of Docker 18.09 or later, image building supports the ability to pass secrets in via a mounted file system. Think of this method as rather like baking a cake, one with your secrets securely baked within. For more details and a helpful example, see our documentation, where we demonstrate this method by creating a user account in the destination image with a username and password from Keeper Secrets Manager.

2. Build an Image with Secrets using Build Arguments

Building on the cake analogy in method 1, this method is like baking a dynamic cake; it can “phone home” to the Vault and securely pull the secrets you need at runtime.

In this method, secrets are passed in via the –build-arg. Just set Environmental Variables with Keeper notation for the secrets that are needed, and use the ksm exec command to create the Docker build with the needed secrets. Visit our documentation for more details and another helpful example.

3. Use the KSM Docker Writer Image

The KSM Docker Writer, a general-purpose Docker image, simplifies Docker secrets security by automatically downloading secret files and generating a file that contains secrets. The KSM Docker Writer image can be pulled simply by running the following CLI command:

$ docker pull keeper/keeper-secrets-manager-writer

When run, its parameters are passed in via environmental variables.

$ docker run \

-v $PWD:/wd –workdir /wd \

-e “KSM_CONIFG=BASE64 CONFIG” \

-e “SECRETS=JfXpSQ2nZG6lkdl1rxB0dg/file/example.crt >

file:example.crt”

keeper/keeper-secrets-manager-writer

Using the KSM Docker Writer, all source code inside Docker images pulls secrets from a secure API endpoint – not a text file! Each secret is encrypted with a 256-bit AES key, which is encrypted by another AES-256 application key. The client device retrieves encrypted ciphertext from the Keeper cloud, and secrets are decrypted and used locally on the device — not on Keeper’s servers. Additionally, all server requests are further encrypted with an AES-256 transmission key on top of TLS to prevent MITM or replay attacks. This multi-layered cryptography is handled transparently through Keeper’s client-side SDKs, which are easy to integrate into any environment.

A solid example of using KSM Docker Writer Image is integration into orchestration tools like Kubernetes and Docker Compose. The KSM image can retrieve the secrets needed during initialization, then share those secrets to the other containers that depend on them. The example provided using Docker Compose in our documentation uses a shared volume to store the secrets.

Use KSM to Secure All of Your Infrastructure Secrets

The utility value of KSM doesn’t stop with Docker or containers. KSM protects secrets used by source code throughout an organization’s entire IT ecosystem, as well as servers, CI/CD pipelines, and developer environments. Further, because KSM is a natural extension of Keeper’s top-rated enterprise password manager (EPM), it is fully integrated into the Keeper Web Vault, Desktop App and Admin Console. KSM also seamlessly integrates into Keeper’s Advanced Reporting and Alerts (ARAM) module, BreachWatch, Webhooks, SIEM integration, and compliance tools.

Using KSM instead of hardcoding, environment variables, or config files eliminates secrets sprawl, dramatically reduces the risks of unintentional secrets compromise, and stores infrastructure secrets inside Keeper’s zero-knowledge EPM. This gives administrators and DevOps personnel the same benefits and control of infrastructure secrets as Keeper gives them over passwords. These include simplified secrets rotation, role-based access control (RBAC), and integration with add-ons like BreachWatch, which scans the Dark Web for compromised credentials and alerts IT admins if any are discovered.

Keeper Secrets Manager is fully managed and utilizes a new patent-pending security architecture. Unlike competing secrets management solutions, KSM integrates into virtually any data environment, with no additional hardware or cloud-hosted infrastructure required, and out-of-the-box integrations with a wide variety of DevOps tools, including Github Actions, Kubernetes, Ansible, and more.

Not a Keeper customer yet? Sign up for a 14-day free trial now! Want to find out more about how Keeper can help your organization prevent security breaches? Reach out to our team today.