Provides a container which creates single-use secrets.txt files.
I was trying to solve a few things:
- Environment variables are not a great place to keep secrets lying around
- We don't want files sitting around which have plain text secrets in them
- A way to handle decrypting secrets which is agnostic of the hosting environment (like AWS)
This container will create a single use secrets file that can be mounted into another container by mounting to the
It uses a key located at
/keys/secrets_key with GnuPG to decrypt a file located at
/encrypted/secrets.gpg. Both may be overridden with ENV variables
The passphrase for the mounted secret key should be set with
SECRETS_PASSPHRASE, which is unset after the script is built so it won't be available as an ENV var in the container.
The subsequent secrets file is located at
/secrets/secrets.sh and is intended to be executed by whatever container need them. The script
echo's the contents of the secrets file, so one could have it contain whatever ENV vars the container needs, so if your encrpyted secrets file contains
FOO=bar COLOR=blue you could use it:
`secrets.sh` some_command_needing_secret_env_vars. This will prevent the secrets being set in ENV.
docker run \ -e SECRETS_PASSPHRASE=testing1 \ -v /path/to/encrypted:/encrypted \ -v /path/to/keys:/keys \ -v secrets:/secrets thegene/mounted-secrets
you should then see a file locally at
secrets/secrets.sh. Of course you probably want to mount it into another container.