Container Security: Manage Secrets with Portainer

Portainer is one of the most powerful Docker (and Docker Swarm) managers on the market. With this tool, you can create and manage every aspect of your container deployments, including the management of services, networks, images, registries, volumes, configs, stacks, orchestration, and even secrets.

That’s right, you can even manage secrets for your containers.

What’s the big deal with secrets? Well, if you haven’t heard, containers can be stubbornly insecure. Given how many moving parts you’ll find in a deployment, it can be all too easy to develop and deploy something in such a way that it’s easy for ne’er do wells to gain access to a running container or service, only to then leverage the passwords, certificates, and keys they find within. With those secrets (i.e. passwords, certificates, and keys), they can use them to gain access to your services, APIs, accounts, and more.

You don’t want that. Trust me.

To avoid such a scenario, Docker makes it possible for developers to store their secrets outside the services in an encrypted form and then call connect containers to the secrets. This is a much better method of keeping sensitive information from prying eyes.

And, guess what? Portainer makes it easy to work with secrets. In fact, I’ve yet to come across an easier method of managing/using secrets. And I’m going to show you how to do just that.

Requisites

To work with secrets, you’ll need a running instance of Portainer (which I’ve explained how to deploy Portainer in “Deploy Portainer for Easier Container Management“). One caveat to this is that Portainer must be running on a Docker Swarm, otherwise, you won’t have access to the Secrets option. To find out how to deploy Docker in Swam mode, make sure to check out “Tutorial: Manage Docker Swarm with Portainer.”

With Portainer up and running, you are ready to create your first secret.

Creating a Secret

The first thing we’ll do is create a secret. Log into Portainer, select your Environment, and click Secrets from the left navigation (Figure 1):

Figure 1: The Portainer main page in action.

In the resulting window (Figure 2), click Add Secret:

Figure 2: The Secrets management window in Portainer.

In the next window (Figure 3), give the secret a name, add the actual secret into the Secret field, and (if you’re using plain text secrets) make sure Encode secret is enabled:

Figure 3: Adding a new secret in Portainer.

If you need to Enable access control to the secret, you can select either Administrators (default) or click Restricted and select the users you want to grant access to the new secret (Figure 4):

Figure 4: Restricting access to a new secret to specific users.

After you’ve configured the secret exactly how you want it, click Create the secret and the configuration will be saved.

Using Your New Secret

Okay, let’s now use that new secret. To illustrate this, we’ll deploy a basic Redis service that uses the secret. Although this might not be the perfect illustration, it’s a simple way of showing how it’s done.

To create the service, click Services in the left sidebar and then click Add service. In the resulting window (Figure 5), first, fill out the basic information for the service:

Figure 5: Adding a new service from within Portainer.

Fill out the following information:

• Name – redis-secret-test
• Image – redis:alpine

Scroll down until you see the Secrets tab (Figure 6):

Figure 6: The Secrets tab is in the advanced configuration options

Click Add a secret and, from the drop-down (Figure 7), select the new secret you just created: 

Figure 7: Selecting our SSH-KEY secret we just added to Portainer.

Finally, click Create the service and the service will deploy. You will then be taken back to the Service list, where you’ll see your new service has deployed. If you click on the redis-secret-test entry, you will see the secret has been successfully attached to the service (Figure 8):

Figure 8: Our service has been deployed with the secret intact.

Should someone gain access to that service, they won’t be able to view the secret, because it’s been encrypted and cannot be viewed. In fact, even if someone gains access to your Portainer instance, they can view the secrets listing but cannot view the secret itself.

With the service deployed, you will also notice that a container has also been created. You will not, however, find a listing or even access to the secret from within the container listing.

Another thing to keep in mind is that you cannot delete a secret if it is being used by a running service. So, if you find a need to delete a secret, first delete the service, and then you can remove the secret.

Conclusion

If you want to add secrets and make them available to your Docker services and full-stack apps, Portainer is a great tool to make this process incredibly easy. I highly recommend you spin up Portainer in a development environment and practice creating and using secrets before you jump right into a production environment with this process. Remember, your containers have a lot of moving parts, so the last thing you want to do is add unencrypted secrets to make it easy for bad actors to hack your deployments.