I don’t know how secure hashicorp vault and docker secrets are if i use “docker run…” with (as example) mysql credentials (environments) for user, password, database etc.
Like
docker run --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw -d mysql:tag
I know the environment secrets will be hashed in vault, but with “docker inspect” etc. or in the running container you can see the secret.
What i want to know is:
-When i will the the secret unhashed, in clear?
-For security risk… It’s not possible to use this hashed secrets for mysql commandline to connect to the database?
-Is vault decrypt the hashed secret in background or how it works? Let’s say to add a product in a onlineshop - in background the shop-system need access to the database.
Do you know a good video tutorial about vault and docker run command for environment secrets?
Docker run is not a supported way of running anything in production. This isn’t a vault specific issue, any environment variable passed to any program anywhere are public information to anyone on that server.
In general you shouldn’t put secrets in command lines (as they are visible to anyone on that machine) and you also need to be very careful with environment variables.
The best option is for the application to connect to Vault directly to fetch secrets, with the token/approle needed to achieve that stored in a file (with very restricted permissions) that gets deleted by the application as soon as it is read. You could even wrap that token to detect tampering.
With regards to your original post, I’m not really seeing anything that is related to Vault? The Docker run command you list isn’t using Vault in any way?
You have to read exactly!
Maybe english isn’t your prefered language, mine definitely is not.
I don’t run mysql etc. yet, but i want to!
So i want to use HashiCorp for encrypt the secrets.
My questions are:
-When it will the secret unhashed, in clear?
-It’s not possible to use this hashed secrets for mysql commandline to connect to the database?
-Is vault decrypt the hashed secret in background or how it works? Let’s say to add a product in a onlineshop - in background the shop-system need access to the database.
I could answer my questions by myself whith the hashicorp vault documentation and (more) videos.
These was the questions:
Q: -When it will the secret unhashed, in clear?
A: Never, because they can be used hashed
Q: -It’s not possible to use this hashed secrets for mysql commandline to connect to the database?
A: The hashed secret can be used, so it’s a security risk
Q: -Is vault decrypt the hashed secret in background or how it works?
A: If hashed, it will be used hashed without problems
