Keeping secrets with containers
The 12-Factor App manifesto has trained us to pass configuration information into containers in the form of environment variables. In many cases that config information includes secrets, such as passwords and certificates that allow containers to identify and communicate with each other. If those secrets are leaked, an attacker has password and certificate information that could enable a serious system compromise.
In this talk I will show some of the ways in which those secrets are more accessible than you might imagine if you have not taken action to prevent it. For example, did you know that any environment variable in a container is easily accessible from the host machine?
We’ll look at approaches for encrypting your secrets and how these can be set up under orchestrators like Docker Swarm and Kubernetes, including key management systems and key rotation.
Actions speak louder than words, so this talk will dig into the technical detail with live demonstrations including:
* showing how plain-text environment variables are accessible to the host through the /proc pseudo-filesystem
* showing how orchestrators like Docker Swarm and Kubernetes pass secret information around in a deployment, and discussing the pros and cons of their approaches including whether it is encrypted in transit or at rest
* an illustration of key rotation and key management systems like HashiCorp Vault.
We’ll conclude with a checklist of things you want to address to keep your container secrets secure.