Security and Best Practices - docker/docker-credential-helpers

Strong credential management is crucial to ensure the security of sensitive data such as usernames, passwords, and API keys. The pass tool is a command-line password manager that uses industry-standard encryption (GPG) to keep your credentials secure. It allows for the creation of encrypted “password stores” and individual gpg-encrypted files to store credentials.

Key management for pass includes:

1. Initialization: Initialize pass with pass init to create the necessary GPG keyring.
2. Adding credentials: Add credentials with pass insert <service_name> and provide the necessary credentials when prompted.
3. Retrieving credentials: Retrieve credentials with pass <service_name> and the tool will automatically decrypt and display the content.

Best practices for secure use of pass include:

• Use a strong GPG key: Make sure to use a strong GPG key with a long passphrase for the keyring.
• Keep the GPG key safe: Store the GPG key securely and do not share it.
• Regularly update the GPG key: Update the GPG key regularly to ensure its strength.
• Use a unique password store: Create a unique password store for each system or user to minimize the impact of a potential breach.
• Limit access to the password store: Limit access to the password store to authorized users only.

The docker-credential-helpers project provides external helper programs for interacting with specific keychain or external stores. These helpers allow Docker to securely access and manage credentials without storing them in plaintext. The available helpers include:

• docker-credential-osxkeychain (for macOS keychain)
• docker-credential-secretservice (for secret service on Linux)
• docker-credential-pass (for pass)

To use these helpers, specify the credential store in $HOME/.docker/config.json:

{
"credsStore" : "osxkeychain"
}

Or, for multiple credential stores:

{
"credHelpers" : {
"registry.example.com" : "registryhelper",
"awesomereg.example.org" : "hip-star",
"unicorn.example.io" : "vcbait"
}
}

The Docker Engine will look for the native binary on each platform, i.e., “osxkeychain” on macOS, “wincred” on windows, and “pass” on Linux. If none of these binaries are present, it will store the credentials (i.e., password) in base64 encoding in the config files.

Sources:

• Docker Docs - docker login
• Docker Docs - Credential stores
• Docker Docs - Release notes
• Open Policy Containers - Login
• Open Policy Agent - Docker authorization
• Prometheus - Configuration
• Prometheus - Configuration (latest version)