Categories: Cloud

Docker Secures Container Secrets in Datacenter Update

Docker is advancing its open-source container engine as well as its commercially supported Docker Datacenter platform with enhanced capabilities designed to help safeguard container secrets.

Secrets in the context of container applications are access tokens, passwords and other privileged access information that needs to be kept secure. The Docker 1.13 container engine release that debuted on Jan. 19 featured a new secrets management capability that has been further enhanced in the Docker 1.13.1 update, released on Feb. 8.

Additionally, Docker is now bringing the secrets management capability to a new update of Docker Datacenter – announced Feb. 9 – that is based on Docker 1.13.1. Docker Datacenter is Docker Inc’s flagship commercial platform and was first released back in February 2016.

“As a platform provider, we want to make sure we’re doing a good job of helping people secure applications and the secrets that are used by applications,” Nathan McCauley, Security Director at Docker, told eWEEK.

Securing secrets

From a deployment perspective, only the assigned applications within a cluster of docker engines known as a ‘swarm’ are able to access secrets. McCauley emphasized that applications running on the same infrastructure should not know each other’s secrets, they should only know the secrets they are specifically authorized to access.

The primary difference between the secrets management capability in the open-source Docker 1.13.1 update and what Docker Datacenter enables is additional access control. McCauley explained that Docker swarm has access control for the applications that need to access a secret when running in a cluster.

“What Docker Datacenter adds is access control for the human developers and administrators that are interfacing with the system,” McCauley said. “So you can assign secrets to a team and that team is then allowed to assign secrets to their own applications.”

The role based access control in the Docker Datacenter update can also be integrated with existing enterprise identity systems, including Microsoft’s ActiveDirectory.

Simply storing secrets securely, however, isn’t enough to keep secrets safe, as there still could be a potential risk of a secret being leaked by an application. “Applications are safer when the secret isn’t actually stored in the application itself,” McCauley explained.

To that end, Docker encrypts the backend storage where the secrets are stored in the swarm and all delivery of secrets to container applications occurs over secure Transport Layer Security (TLS) tunnels. The secrets are only available to applications in-memory and are not stored again to the individual application container’s storage segment.

The idea of having a secrets management facility for applications is not a new one. The open-source Vault project is another effort that provides secrets management and is currently also integrated with the Aqua Container Security Platform 2.0 update that was released on Feb. 2.

“Vault has implemented a good system, but it’s not integrated by default into the container management platform,” McCauley said. “Our belief at Docker is that you need a secrets management capability that is deeply integrated, to bridge the developer and operations workflows.”

Originally published on eWeek

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

8 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

9 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

10 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

12 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

15 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

15 hours ago