Support for Passing Passwords as Secrets in Docker Compose

[FabianRechsteiner]

Description: I would like to know if it’s possible to pass passwords as secrets in Docker Compose, similar to how the official PostgreSQL image supports Docker secrets.

For instance, PostgreSQL allows the use of _FILE appended to environment variables, enabling password retrieval from files stored as Docker secrets. Here’s an example from PostgreSQL:

As an alternative to passing sensitive information via environment variables, _FILE may be appended to some of the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container. In particular, this can be used to load passwords from Docker secrets stored in /run/secrets/<secret_name> files. For example:

docker run --name some-postgres -e POSTGRES_PASSWORD_FILE=/run/secrets/postgres-passwd -d postgres

I’m attempting to implement a similar setup in my compose.yaml file for a BBOX service that connects to a PostGIS database, and I would like to manage sensitive information like the database password using secrets. Here is my current compose.yaml configuration:

---
services:
  bbox:
    image: sourcepole/bbox-server-qgis:v0.6.1 # https://hub.docker.com/r/sourcepole/bbox-server-qgis/tags
    container_name: bbox
    environment:
      - PGPASSWORD_FILE=/run/secrets/POSTGRES_BBOX_PASSWORD
      - PGUSER=${POSTGRES_BBOX_USERNAME}
      - PGDATABASE=${POSTGRES_DB}
      - PGHOST=${POSTGRES_HOST}
    secrets:
      - source: POSTGRES_BBOX_PASSWORD
        target: PGPASSWORD
    volumes:
      - ./bbox.toml:/bbox.toml
      - ./var:/var
      - ./tmp:/tmp
    ports:
     - 8080:8080
    restart: always
    networks:
      - postgis
      - nginx

secrets:
   POSTGRES_BBOX_PASSWORD:
     file: ./POSTGRES_BBOX_PASSWORD.env

networks:
  postgis:
    name: postgis
    external: true
  nginx:
    name: nginx
    external: true

Is this a valid way to handle passwords securely using Docker Compose secrets, or is there a better approach to achieving this? Any advice on best practices for securely managing credentials in this context would be appreciated.

[pka]

I didn't know Docker secrets! I'm passing passwords usually via .env files with appropriate file permission (chmod 600). Example:

services:
  bbox:
    image: sourcepole/bbox-server-qgis:v0.6.1
    environment:
      - PGPASSWORD={{ DB_PASSWORD }}

.env:

DB_PASSWORD=changeme

[FabianRechsteiner]

Currently, I am still using .env files to pass variables, including passwords. However, this is not optimal, as passwords are used unencrypted within the container and can also be output in log files. I use Portainer for monitoring and as an overview of my running containers, networks, and volumes. In doing so, Portainer can read the environment variables and display passwords in plaintext.

This should be avoided at all costs. Therefore, it is advisable to use Docker Secrets for sensitive data like passwords and tokens. These allow for a more secure handling of confidential information.

Docker Secrets are primarily intended for Docker Swarm, but with the correct configurations, they can also be utilized in docker-compose files without Docker Swarm. This way, one can benefit from this security measure even in a regular Compose setup.