Docker Secrets in Environments (without compose or swarm)

D0ck · September 3, 2021, 12:01pm

I don’t know how secure hashicorp vault and docker secrets are if i use “docker run…” with (as example) mysql credentials (environments) for user, password, database etc.
Like

docker run --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw -d mysql:tag

I know the environment secrets will be hashed in vault, but with “docker inspect” etc. or in the running container you can see the secret.

What i want to know is:
-When i will the the secret unhashed, in clear?
-For security risk… It’s not possible to use this hashed secrets for mysql commandline to connect to the database?
-Is vault decrypt the hashed secret in background or how it works? Let’s say to add a product in a onlineshop - in background the shop-system need access to the database.

Do you know a good video tutorial about vault and docker run command for environment secrets?

D0ck · September 24, 2021, 11:12am

Does nobody knows?
What about HashiCorp himself?!

aram · September 24, 2021, 6:12pm

Docker run is not a supported way of running anything in production. This isn’t a vault specific issue, any environment variable passed to any program anywhere are public information to anyone on that server.

D0ck · September 25, 2021, 9:08am

That was not my question!

OffTopic on:
If i don’t use docker ans install all applications there are also all “secrets” in clear!
OffTopic end

Let Docker be my concern for once.

Ohh, i saw one of my question…

-When i will the the secret unhashed, in clear?

Should be

-When it will the secret unhashed, in clear?

stuart-c · September 25, 2021, 10:57am

In general you shouldn’t put secrets in command lines (as they are visible to anyone on that machine) and you also need to be very careful with environment variables.

The best option is for the application to connect to Vault directly to fetch secrets, with the token/approle needed to achieve that stored in a file (with very restricted permissions) that gets deleted by the application as soon as it is read. You could even wrap that token to detect tampering.

With regards to your original post, I’m not really seeing anything that is related to Vault? The Docker run command you list isn’t using Vault in any way?

D0ck · September 25, 2021, 11:26am

Do you see my questions?!
That’s all Vault related.

stuart-c · September 25, 2021, 3:46pm

Maybe if you could try rephrasing your question?

You are saying that you are running MySQL via Docker. How is Vault involved? What are you running that involves Vault?

D0ck · September 25, 2021, 4:37pm

You have to read exactly!
Maybe english isn’t your prefered language, mine definitely is not.

I don’t run mysql etc. yet, but i want to!
So i want to use HashiCorp for encrypt the secrets.

My questions are:
-When it will the secret unhashed, in clear?
-It’s not possible to use this hashed secrets for mysql commandline to connect to the database?
-Is vault decrypt the hashed secret in background or how it works? Let’s say to add a product in a onlineshop - in background the shop-system need access to the database.

D0ck · November 10, 2021, 6:41pm

Bad, really bad that nobody help!

I could answer my questions by myself whith the hashicorp vault documentation and (more) videos.

These was the questions:

Q: -When it will the secret unhashed, in clear?
A: Never, because they can be used hashed

Q: -It’s not possible to use this hashed secrets for mysql commandline to connect to the database?
A: The hashed secret can be used, so it’s a security risk

Q: -Is vault decrypt the hashed secret in background or how it works?
A: If hashed, it will be used hashed without problems