Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Docker secrets and RSA keys

Tags:

docker

ssh

docker-swarm

I have a Docker swarm and I would like to use a secret RSA key in a service to connect via SSH to another container.

My security policy is that all the secrets (passwords, keys, etc.) are stored on a different machine than the destination servers (the Swarm).

Actually (and I don't like it), in my Dockerfile I create a temporary directory /run/secrets:

mkdir -p /run/secrets

Then I create fake id_rsa and id_rsa.pub files:

touch /run/secrets/id_rsa
touch /run/secrets/id_rsa.pub

And now I create a symbolic link:

ln -s /run/secrets/id_rsa /root/.ssh/id_rsa
ln -s /run/secrets/id_rsa.pub /root/.ssh/id_rsa.pub

I'm doing this because I didn't find a way to copy the secrets in my docker-entrypoint.sh: in the entrypoint I'm not root so I can't copy in the /root directory.

So, I'm already using Docker secrets but the problem here is that the secrets inside the containers are in read-only. That impacts the usage of SSH:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0444 for '/root/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.

I can't modify the permissions of my id_rsa file since it's read-only.

Is there a workaround or just a really better way to do it ?

Thanks

EDIT 1:

I'm trying to change the way I build my Docker image in order to copy keys in the /root/.ssh directory.

like image 593
Paul Rey Avatar asked Oct 11 '25 17:10

Paul Rey

1 Answers

Consider creating a stack with a compose file. This gives you the option to alter the file permissions of your secrets.

version: "3.1"
services:
  redis:
    image: redis:latest
    deploy:
      replicas: 1
    secrets:
      - source: my_secret
        target: redis_secret
        uid: '103'
        gid: '103'
        mode: 0440
secrets:
  my_secret:
    file: ./my_secret.txt
  my_other_secret:
    external: true

More info can be found here: https://docs.docker.com/compose/compose-file/#long-syntax-2

Sign in to Comment

Related questions

Building a heroku docker image for a specific context

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!