Public Repository

Last pushed: a year ago
Short Description
Provides a container which creates a mountable single-use secrets.txt file.
Full Description


Provides a container which creates single-use secrets.txt files.

I was trying to solve a few things:

  • Environment variables are not a great place to keep secrets lying around
  • We don't want files sitting around which have plain text secrets in them
  • A way to handle decrypting secrets which is agnostic of the hosting environment (like AWS)


This container will create a single use secrets file that can be mounted into another container by mounting to the /secrets directory.
It uses a key located at /keys/secrets_key with GnuPG to decrypt a file located at /encrypted/secrets.gpg. Both may be overridden with ENV variables KEY_PATH and ENCRYPTED_SECRETS_FILE.
The passphrase for the mounted secret key should be set with SECRETS_PASSPHRASE, which is unset after the script is built so it won't be available as an ENV var in the container.
The subsequent secrets file is located at /secrets/ and is intended to be executed by whatever container need them. The script echo's the contents of the secrets file, so one could have it contain whatever ENV vars the container needs, so if your encrpyted secrets file contains FOO=bar COLOR=blue you could use it: `` some_command_needing_secret_env_vars. This will prevent the secrets being set in ENV.


docker run \
  -e SECRETS_PASSPHRASE=testing1 \
  -v /path/to/encrypted:/encrypted \
  -v /path/to/keys:/keys \
  -v secrets:/secrets

you should then see a file locally at secrets/ Of course you probably want to mount it into another container.

Docker Pull Command

Comments (0)