Docker Secures Container Secrets in Datacenter Update
Docker has added new security features to its open-source and commercial container platforms
Docker is advancing its open-source container engine as well as its commercially supported Docker Datacenter platform with enhanced capabilities designed to help safeguard container secrets.
Secrets in the context of container applications are access tokens, passwords and other privileged access information that needs to be kept secure. The Docker 1.13 container engine release that debuted on Jan. 19 featured a new secrets management capability that has been further enhanced in the Docker 1.13.1 update, released on Feb. 8.
Additionally, Docker is now bringing the secrets management capability to a new update of Docker Datacenter – announced Feb. 9 – that is based on Docker 1.13.1. Docker Datacenter is Docker Inc’s flagship commercial platform and was first released back in February 2016.
“As a platform provider, we want to make sure we’re doing a good job of helping people secure applications and the secrets that are used by applications,” Nathan McCauley, Security Director at Docker, told eWEEK.
Securing secrets
From a deployment perspective, only the assigned applications within a cluster of docker engines known as a ‘swarm’ are able to access secrets. McCauley emphasized that applications running on the same infrastructure should not know each other’s secrets, they should only know the secrets they are specifically authorized to access.
The primary difference between the secrets management capability in the open-source Docker 1.13.1 update and what Docker Datacenter enables is additional access control. McCauley explained that Docker swarm has access control for the applications that need to access a secret when running in a cluster.
“What Docker Datacenter adds is access control for the human developers and administrators that are interfacing with the system,” McCauley said. “So you can assign secrets to a team and that team is then allowed to assign secrets to their own applications.”
The role based access control in the Docker Datacenter update can also be integrated with existing enterprise identity systems, including Microsoft’s ActiveDirectory.
Simply storing secrets securely, however, isn’t enough to keep secrets safe, as there still could be a potential risk of a secret being leaked by an application. “Applications are safer when the secret isn’t actually stored in the application itself,” McCauley explained.
To that end, Docker encrypts the backend storage where the secrets are stored in the swarm and all delivery of secrets to container applications occurs over secure Transport Layer Security (TLS) tunnels. The secrets are only available to applications in-memory and are not stored again to the individual application container’s storage segment.
The idea of having a secrets management facility for applications is not a new one. The open-source Vault project is another effort that provides secrets management and is currently also integrated with the Aqua Container Security Platform 2.0 update that was released on Feb. 2.
“Vault has implemented a good system, but it’s not integrated by default into the container management platform,” McCauley said. “Our belief at Docker is that you need a secrets management capability that is deeply integrated, to bridge the developer and operations workflows.”