I use Docker to run applications with several sensitive values as environment variables, such as mysql_pw, api_key, etc. These can all be viewed inside the container using the docker exec command. I've also noticed that docker secrets appear in plain text within the container.
I want to prevent these from being visible inside the container. My ideas include:
- Blocking the docker exec command.
- Blocking commands that display environment variables inside the Docker container.
Is this possible? Are there any better approaches?
No, you can't and you shouldn't, you try to solve a problem that is not a problem, AKA XY problem
anyone that can use docker command on the host is either in the sudo group so they can sudo docker or in the docker group so they don't need to use sudo to run docker commands, but with docker group membership they can make themself be sudoer pretty easy. So you must threat docker group as the user is in the sudo group. No way to block anything from a sudoer user.
anyone that gets access to a container will be able to read the sensitive data even if it is stored in ENV variables or in config files. Or if you store them in a vault (hashicorp vault, azure key vault, aws secret manager etc) then your app will need a key for that vault that needs to be stored in a config file or in ENV var that can also be read and so on. So the issue is not that you store secrets in ENV variables but that somebody gains shell access to your container.
Best place to store environment dependent (different DEV, PROD creds for example) configs are the ENV variables. Even if your app can not process them because your app is written in a way that the config MUST be stored in a specific config file, then you should make a ENTRYPOINT script that writes the needed ENV vars into the file before the app starts in the container.
https://12factor.net/config