Secrets

• Easiest "secure" solution for storing secrets in Swarm

• What is a Secret?

  • Usernames and passwords

  • TLS certificates and keys

  • SSH keys

  • Any data you would prefer not be "on front page of news"

• Supports generic strings or binary content up to 500Kb in size

• Doesn't require apps to be rewritten

• As of Docker 1.13.0 Swarm Raft DB is encrypted on disk

• Only stored on disk on Manager nodes

• Default is Managers and Workers "control plane" is TLS + Mutual Auth

• Secrets are first stored in Swarm, then assigned to a Service(s)

• Only containers in assigned Service(s) can see them

• They look like files in container but are actually in-memory fs

• /run/secrets/<secret_name> or

• /run/secrets/<secret_alias>

• Local docker-compose can use file-based secrets, but not secure

External links

• Manage sensitive data with Docker secrets

• Secrets in Compose Files