mysql - Hide/obfuscate environmental parameters in docker

Question

I'm using the mysql image as an example, but the question is generic.

The password used to launch mysqld in docker is not visible in docker ps however it's visible in docker inspect:

sudo docker run --name mysql-5.7.7 -e MYSQL_ROOT_PASSWORD=12345 -d mysql:5.7.7

CONTAINER ID        IMAGE               COMMAND                   CREATED             STATUS              PORTS               NAMES
b98afde2fab7        mysql:5.7.7         "/entrypoint.sh mysq   6 seconds ago       Up 5 seconds        3306/tcp            mysql-5.7.7

sudo docker inspect b98afde2fab75ca433c46ba504759c4826fa7ffcbe09c44307c0538007499e2a

"Env": [
        "MYSQL_ROOT_PASSWORD=12345",
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
        "MYSQL_MAJOR=5.7",
        "MYSQL_VERSION=5.7.7-rc"
    ]

Is there a way to hide/obfuscate environment parameters passed when launching containers. Alternatively, is it possible to pass sensitive parameters by reference to a file?

Answer 1

Weirdly, I'm just writing an article on this.

I would advise against using environment variables to store secrets, mainly for the reasons Diogo Monica outlines here; they are visible in too many places (linked containers, docker inspect, child processes) and are likely to end up in debug info and issue reports. I don't think using an environment variable file will help mitigate any of these issues, although it would stop values getting saved to your shell history.

Instead, you can pass in your secret in a volume e.g:

$ docker run -v $(pwd)/my-secret-file:/secret-file ....

If you really want to use an environment variable, you could pass it in as a script to be sourced, which would at least hide it from inspect and linked containers (e.g. CMD source /secret-file && /run-my-app).

The main drawback with using a volume is that you run the risk of accidentally checking the file into version control.

A better, but more complicated solution is to get it from a key-value store such as etcd (with crypt), keywhiz or vault.