When using docker login it saves my credentials to ~/.docker/config.json as base64.
It also states that it's safer to use a credentials store and helper, because:
Using an external store is more secure than storing credentials in the Docker configuration file.
That sounds good, but lacks detail.
I have two threat models:
- On my personal machine: I'm the only user, and my home directory is protected anyway - so only I and root can access the file (and I am root).
- In a server managed by automation (ansible): there are only two users, the automation and root users (both me).
I prefer more security, but in my environment and threat model this just seems like busywork.
In these use cases, why is it more secure to use a credential store? Are there actual practical risks which I've neglected?