The repository hosts simple tools written with go and compiled without any external dependencies to help encrypt files into a docker image and decrypt files on production.
See example dir for the complete sample. Prepare the sample image containing a secret file:
cd example/oneFile
make dbuild secret=olia
Try run the container:
docker run -it -e "SECRET=olia" ${USER}/secure-demo:0.1
Press Ctr+C
. Try with the wrong secret:
docker run -it -e "SECRET=wrong" ${USER}/secure-demo:0.1
You should fail seeing the data.
The repo contains two tools encrypt-file and check-decrypt-file. By adding secret file to a docker image we do these steps. First we create a helper temporary image. See example/oneFile/Dockerfile:
- during the build pass secret key with
--build-arg
. See example/oneFile/Makefile - copy secret file into the image. Sample file example/oneFile/secretFile.txt
- encrypt secret file using the encrypt-file and the key
Then we create the target image:
- copy the check-decrypt-file into the target image (for decrypting file on startup)
- copy the encrypted file from the first image
- configure a startup script and copy it to the target image. The startup script at first runs check-decrypt-file. It takes secret from env setting and decrypts file. Then it should run the main process of the container.
As you are dealing with secret data, so you must be extremely cautious. It is possible to reveal secret with docker history
if you are using the build process without multistage building procedure.
Airenas Vaičiūnas
Copyright © 2021, Airenas Vaičiūnas. Released under the The 3-Clause BSD License.