Jose Manuel Ortega Candel, profile picture
Uploaded byJose Manuel Ortega Candel
PDF, PPTX48 views

Sharing secret keys in Docker containers and K8s

The document discusses the challenges and best practices of managing secret keys in Docker containers and Kubernetes, emphasizing the importance of securely storing sensitive data like passwords and SSH keys. It outlines methods for managing secrets in Docker, including the use of Docker Swarm and Docker Compose, and in Kubernetes through volumes and sealed-secrets. Additionally, it explores other tools for distributing secrets, such as HashiCorp Vault and AWS Secrets Manager, reinforcing the critical role of secrets in container architectures to maintain separation between code and configuration.

Technology
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
Sharing secret keys in Docker containers and K8s José Manuel Ortega Security researcher
Jose Manuel Ortega Software engineer, Freelance
1.Challenges of security and secret keys in containers 2.Best practices for saving and securing distribution of secrets in Docker Containers 3.Managing secrets in Kubernetes using volumes and sealed-secrets 4.Other tools for distributing secrets in containers
Challenges of security and secret keys in containers
Challenges of security and secret keys in containers ● Secrets play a critical role in storing sensitive data separately from application code. This includes data such as passwords, hostnames, SSH keys, and more. ● Our application requires a database connection. To do this, it needs a hostname, username, and password. Furthermore, there's a different database server for development, testing, and production. ● With secrets, each environment can provide its own database information to the applications.
Challenges of security and secret keys in containers
How Docker manages secrets Docker's implementation of secrets uses the following features: ● Secrets are created and managed separately from applications. ● Follows principles of least privileged and need-to-know access. ● Flexibility to store a variety of different data types.
How Docker manages secrets
How Docker manages secrets $ docker swarm init --advertise-addr <MANAGER-IP> $ docker secret create my_secret /path/to/secret/file ● /run/secrets/<secret_name>
How Docker manages secrets
How Docker manages secrets
How Docker manages secrets
How Docker manages secrets
Best practices for saving and securing distribution of secrets in Docker Containers $ docker secret rm my_secret
Best practices for saving and securing distribution of secrets in Docker Containers $ docker service create --name my_app --secret source=my_secret,target=/different/path/to/secret/file,mode =0400
Best practices for saving and securing distribution of secrets in Docker Containers version: '3.1' services: my_app: image: my_app:latest secrets: - my_external_secret - my_file_secret secrets: my_external_secret: external: true my_file_secret: file: /path/to/secret/file.txt
Best practices for saving and securing distribution of secrets in Docker Containers $ docker stack deploy -c docker-compose.yml secrets1 Creating service secrets1_viewer $ docker logs $(docker ps -aqn1 -f status=exited) my_secret
Managing secrets in Kubernetes
Managing secrets in Kubernetes using volumes apiVersion: v1 kind: Pod metadata: name: volume-pod spec: containers: - name: express-test image: lukondefmwila/express-test:latest volumeMounts: - name: secret-volume mountPath: /etc/config/secret volumes: - name: secret-volume secret: secretName: my-secret
Managing secrets in Kubernetes using sealed-secrets
Managing secrets in Kubernetes using sealed-secrets apiVersion: v1 kind: Secret metadata: name: my-secret type: Opaque data: username: dXNlcg== password: cGFzc3dvcmQ=
Managing secrets in Kubernetes using sealed-secrets kubeseal --cert=public-key-cert.pem --format=yaml < secret.yaml > sealed-secret.yaml ● https://github.com/bitnami-labs/sealed-secrets/releases
Managing secrets in Kubernetes using sealed-secrets apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: creationTimestamp: null name: my-secret namespace: default spec: encryptedData: password: AgBvA5WMunIZ5rF9... username: AgCCo8eSORsCbeJSoRs/...
Managing secrets in Kubernetes using sealed-secrets $ kubectl apply -f sealed-secret.yaml
Other tools for distributing secrets in containers ● Hashicorp Vault ● Keywhiz ● Akeyless Vault ● Cloud Provider solutions (AWS Secrets Manager, GCP Secret Manager)
Hashicorp Vault
Hashicorp Vault
Hashicorp Vault
Hashicorp Vault
Hashicorp Vault The key features of the Vault are: ● It encrypts and decrypts data without storing it. ● Vault can generate secrets on-demand for some operations, such as AWS or SQL databases. ● Allows replication across multiple data centers. ● Vault has built-in protection for secret revocation. ● Serves as a secret repository with access control details.
Keywhiz ● Keywhiz helps with infrastructure secrets, GPG keyrings, and database credentials, including TLS certificates and keys, symmetric keys, API tokens, and SSH keys for external services. ○ Keywhiz Server ○ Keysync ○ Keywhiz CLI ○ Keywhiz automation API
Keywhiz
Keywhiz The key features of Keywhiz are: ● Helps with infrastructure secrets, GPG keyrings, and database credentials, including TLS certificates and keys, symmetric keys, API tokens, and SSH keys for external services. ● Keywhiz Server provides JSON APIs for collecting and managing secrets. ● It stores all secrets in memory only.
AWS Secrets Manager
AWS Secrets Manager The key features of AWS Secrets Manager are: ● Encrypts and decrypts secrets, transmiting securely over TLS. ● Provides client-side caching libraries to improve the availability and reduce the latency of using your secrets. ● You can configure Amazon VPC (Virtual Private Cloud) endpoints to keep traffic within the AWS network.
Azure Key Vault
Akeyless Vault
Akeyless Vault The platform supports two more pillars: ● Zero-Trust Application Access by providing unified authentication and just-in-time access credentials, allowing you to secure the perimeter of applications and infrastructure. ● Encryption as-a-Service, allows customers to protect sensitive personal & business data by applying FIPS 140-2 certified app-level encryption.
Conclusions ● Secrets are an important tool for any container-based architecture because they help us achieve the goal of keeping code and configuration separate. ● Manage secrets in secure storage

More Related Content

PDF
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
byMichaelOLeary82
 
PDF
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
PPTX
Container secrets talk from DevSecCon
byLiz Rice
 
PDF
Secrets acrosscloudk8s
byJhonnatan Gil
 
PDF
Commit 2024 Secrets Management Made Easy
byAlfredo García Lavilla
 
PDF
Kubernetes Secrets Management Meap V06 1 All 8 Chapters Alex Soto Bueno Andre...
bycawulineriku
 
PDF
Commit 2024 - Secret Management made easy
byAlfredo García Lavilla
 
PDF
Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...
byAlfredo García Lavilla
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
byMichaelOLeary82
 
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
Container secrets talk from DevSecCon
byLiz Rice
 
Secrets acrosscloudk8s
byJhonnatan Gil
 
Commit 2024 Secrets Management Made Easy
byAlfredo García Lavilla
 
Kubernetes Secrets Management Meap V06 1 All 8 Chapters Alex Soto Bueno Andre...
bycawulineriku
 
Commit 2024 - Secret Management made easy
byAlfredo García Lavilla
 
Codemotion Madrid 2023 - Sealed Secrets_ protegiendo tus Secretos de Kubernet...
byAlfredo García Lavilla
 

Similar to Sharing secret keys in Docker containers and K8s

PDF
Knolx_ Sealed Secrets
byKnoldus Inc.
 
PDF
Your (container) secret's safe with me
byLiz Rice
 
PDF
Secrets in Kubernetes
byJerry Jalava
 
PDF
Secrets in Kubernetes
byQvik
 
PDF
Your secret's safe with me
byAqua Security
 
PDF
Your secret's safe with me
byLiz Rice
 
PDF
Kubernetes Secrets Management on Production with Demo
byOpsta
 
PDF
Secrets Management and Delivery to Kubernetes Pods
bySatish Devarapalli
 
PDF
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
byDynamicInfraDays
 
PPTX
Docker_Security_Complete_Guide for audit
byCseManit
 
PDF
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
byAkeyless
 
PDF
XP Days 2019: First secret delivery for modern cloud-native applications
byVlad Fedosov
 
PPTX
Managing Secrets in Production
byErik Osterman
 
PPTX
Secret Management Architectures
byStenio Ferreira
 
PDF
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
byMary Racter
 
PPTX
Understanding Sealed Secrets Presentation
byKnoldus Inc.
 
PDF
Lab 3.3 Serverless, Secrets, and API Gateway - 2nd Sight Lab Cloud Security C...
by2nd Sight Lab
 
PDF
Kubernetes Webinar - Using ConfigMaps & Secrets
byJanakiram MSV
 
PDF
Managing secrets with vault
byChris Levi
 
PDF
GDG SLK - Why should devs care about container security.pdf
byJames Anderson
 
Knolx_ Sealed Secrets
byKnoldus Inc.
 
Your (container) secret's safe with me
byLiz Rice
 
Secrets in Kubernetes
byJerry Jalava
 
Secrets in Kubernetes
byQvik
 
Your secret's safe with me
byAqua Security
 
Your secret's safe with me
byLiz Rice
 
Kubernetes Secrets Management on Production with Demo
byOpsta
 
Secrets Management and Delivery to Kubernetes Pods
bySatish Devarapalli
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
byDynamicInfraDays
 
Docker_Security_Complete_Guide for audit
byCseManit
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
byAkeyless
 
XP Days 2019: First secret delivery for modern cloud-native applications
byVlad Fedosov
 
Managing Secrets in Production
byErik Osterman
 
Secret Management Architectures
byStenio Ferreira
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
byMary Racter
 
Understanding Sealed Secrets Presentation
byKnoldus Inc.
 
Lab 3.3 Serverless, Secrets, and API Gateway - 2nd Sight Lab Cloud Security C...
by2nd Sight Lab
 
Kubernetes Webinar - Using ConfigMaps & Secrets
byJanakiram MSV
 
Managing secrets with vault
byChris Levi
 
GDG SLK - Why should devs care about container security.pdf
byJames Anderson
 

More from Jose Manuel Ortega Candel

PDF
Simulando ataques adversarios con TextAttack: Vulnerabilidades y defensas en PLN
byJose Manuel Ortega Candel
 
PDF
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
byJose Manuel Ortega Candel
 
PDF
Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
byJose Manuel Ortega Candel
 
PDF
Beyond the hype: The reality of AI security.pdf
byJose Manuel Ortega Candel
 
PDF
Seguridad de APIs en Drupal_ herramientas, mejores prácticas y estrategias pa...
byJose Manuel Ortega Candel
 
PDF
Security and auditing tools in Large Language Models (LLM).pdf
byJose Manuel Ortega Candel
 
PDF
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
byJose Manuel Ortega Candel
 
PDF
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
byJose Manuel Ortega Candel
 
PDF
PyGoat Analizando la seguridad en aplicaciones Django.pdf
byJose Manuel Ortega Candel
 
PDF
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
byJose Manuel Ortega Candel
 
PDF
Evolution of security strategies in K8s environments- All day devops
byJose Manuel Ortega Candel
 
PDF
Evolution of security strategies in K8s environments.pdf
byJose Manuel Ortega Candel
 
PDF
Implementing Observability for Kubernetes.pdf
byJose Manuel Ortega Candel
 
PDF
Computación distribuida usando Python
byJose Manuel Ortega Candel
 
PDF
Seguridad en arquitecturas serverless y entornos cloud
byJose Manuel Ortega Candel
 
PDF
Construyendo arquitecturas zero trust sobre entornos cloud
byJose Manuel Ortega Candel
 
PDF
Tips and tricks for data science projects with Python
byJose Manuel Ortega Candel
 
PDF
Implementing cert-manager in K8s
byJose Manuel Ortega Candel
 
PDF
Python para equipos de ciberseguridad(pycones)
byJose Manuel Ortega Candel
 
PDF
Python para equipos de ciberseguridad
byJose Manuel Ortega Candel
 
Simulando ataques adversarios con TextAttack: Vulnerabilidades y defensas en PLN
byJose Manuel Ortega Candel
 
Seguridad y auditorías en Modelos grandes del lenguaje (LLM)
byJose Manuel Ortega Candel
 
Seguridad y auditorías en Modelos grandes del lenguaje (LLM).pdf
byJose Manuel Ortega Candel
 
Beyond the hype: The reality of AI security.pdf
byJose Manuel Ortega Candel
 
Seguridad de APIs en Drupal_ herramientas, mejores prácticas y estrategias pa...
byJose Manuel Ortega Candel
 
Security and auditing tools in Large Language Models (LLM).pdf
byJose Manuel Ortega Candel
 
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...
byJose Manuel Ortega Candel
 
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
byJose Manuel Ortega Candel
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
byJose Manuel Ortega Candel
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
byJose Manuel Ortega Candel
 
Evolution of security strategies in K8s environments- All day devops
byJose Manuel Ortega Candel
 
Evolution of security strategies in K8s environments.pdf
byJose Manuel Ortega Candel
 
Implementing Observability for Kubernetes.pdf
byJose Manuel Ortega Candel
 
Computación distribuida usando Python
byJose Manuel Ortega Candel
 
Seguridad en arquitecturas serverless y entornos cloud
byJose Manuel Ortega Candel
 
Construyendo arquitecturas zero trust sobre entornos cloud
byJose Manuel Ortega Candel
 
Tips and tricks for data science projects with Python
byJose Manuel Ortega Candel
 
Implementing cert-manager in K8s
byJose Manuel Ortega Candel
 
Python para equipos de ciberseguridad(pycones)
byJose Manuel Ortega Candel
 
Python para equipos de ciberseguridad
byJose Manuel Ortega Candel
 

Recently uploaded

PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
Introduction-------- to-------ARM Cortex
byPujaSengupta6
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Introduction-------- to-------ARM Cortex
byPujaSengupta6
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Designing a Blog Using Wordpress
bymarkzubi50
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 

Sharing secret keys in Docker containers and K8s

  • 1.
    Sharing secret keysin Docker containers and K8s José Manuel Ortega Security researcher
  • 2.
    Jose Manuel Ortega Softwareengineer, Freelance
  • 3.
    1.Challenges of securityand secret keys in containers 2.Best practices for saving and securing distribution of secrets in Docker Containers 3.Managing secrets in Kubernetes using volumes and sealed-secrets 4.Other tools for distributing secrets in containers
  • 4.
    Challenges of securityand secret keys in containers
  • 5.
    Challenges of securityand secret keys in containers ● Secrets play a critical role in storing sensitive data separately from application code. This includes data such as passwords, hostnames, SSH keys, and more. ● Our application requires a database connection. To do this, it needs a hostname, username, and password. Furthermore, there's a different database server for development, testing, and production. ● With secrets, each environment can provide its own database information to the applications.
  • 6.
    Challenges of securityand secret keys in containers
  • 7.
    How Docker managessecrets Docker's implementation of secrets uses the following features: ● Secrets are created and managed separately from applications. ● Follows principles of least privileged and need-to-know access. ● Flexibility to store a variety of different data types.
  • 8.
  • 9.
    How Docker managessecrets $ docker swarm init --advertise-addr <MANAGER-IP> $ docker secret create my_secret /path/to/secret/file ● /run/secrets/<secret_name>
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
    Best practices forsaving and securing distribution of secrets in Docker Containers $ docker secret rm my_secret
  • 15.
    Best practices forsaving and securing distribution of secrets in Docker Containers $ docker service create --name my_app --secret source=my_secret,target=/different/path/to/secret/file,mode =0400
  • 16.
    Best practices forsaving and securing distribution of secrets in Docker Containers version: '3.1' services: my_app: image: my_app:latest secrets: - my_external_secret - my_file_secret secrets: my_external_secret: external: true my_file_secret: file: /path/to/secret/file.txt
  • 17.
    Best practices forsaving and securing distribution of secrets in Docker Containers $ docker stack deploy -c docker-compose.yml secrets1 Creating service secrets1_viewer $ docker logs $(docker ps -aqn1 -f status=exited) my_secret
  • 18.
  • 19.
    Managing secrets inKubernetes using volumes apiVersion: v1 kind: Pod metadata: name: volume-pod spec: containers: - name: express-test image: lukondefmwila/express-test:latest volumeMounts: - name: secret-volume mountPath: /etc/config/secret volumes: - name: secret-volume secret: secretName: my-secret
  • 20.
    Managing secrets inKubernetes using sealed-secrets
  • 21.
    Managing secrets inKubernetes using sealed-secrets apiVersion: v1 kind: Secret metadata: name: my-secret type: Opaque data: username: dXNlcg== password: cGFzc3dvcmQ=
  • 22.
    Managing secrets inKubernetes using sealed-secrets kubeseal --cert=public-key-cert.pem --format=yaml < secret.yaml > sealed-secret.yaml ● https://github.com/bitnami-labs/sealed-secrets/releases
  • 23.
    Managing secrets inKubernetes using sealed-secrets apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: creationTimestamp: null name: my-secret namespace: default spec: encryptedData: password: AgBvA5WMunIZ5rF9... username: AgCCo8eSORsCbeJSoRs/...
  • 24.
    Managing secrets inKubernetes using sealed-secrets $ kubectl apply -f sealed-secret.yaml
  • 25.
    Other tools fordistributing secrets in containers ● Hashicorp Vault ● Keywhiz ● Akeyless Vault ● Cloud Provider solutions (AWS Secrets Manager, GCP Secret Manager)
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
    Hashicorp Vault The keyfeatures of the Vault are: ● It encrypts and decrypts data without storing it. ● Vault can generate secrets on-demand for some operations, such as AWS or SQL databases. ● Allows replication across multiple data centers. ● Vault has built-in protection for secret revocation. ● Serves as a secret repository with access control details.
  • 31.
    Keywhiz ● Keywhiz helpswith infrastructure secrets, GPG keyrings, and database credentials, including TLS certificates and keys, symmetric keys, API tokens, and SSH keys for external services. ○ Keywhiz Server ○ Keysync ○ Keywhiz CLI ○ Keywhiz automation API
  • 32.
  • 33.
    Keywhiz The key featuresof Keywhiz are: ● Helps with infrastructure secrets, GPG keyrings, and database credentials, including TLS certificates and keys, symmetric keys, API tokens, and SSH keys for external services. ● Keywhiz Server provides JSON APIs for collecting and managing secrets. ● It stores all secrets in memory only.
  • 34.
  • 35.
    AWS Secrets Manager Thekey features of AWS Secrets Manager are: ● Encrypts and decrypts secrets, transmiting securely over TLS. ● Provides client-side caching libraries to improve the availability and reduce the latency of using your secrets. ● You can configure Amazon VPC (Virtual Private Cloud) endpoints to keep traffic within the AWS network.
  • 36.
  • 37.
  • 38.
    Akeyless Vault The platformsupports two more pillars: ● Zero-Trust Application Access by providing unified authentication and just-in-time access credentials, allowing you to secure the perimeter of applications and infrastructure. ● Encryption as-a-Service, allows customers to protect sensitive personal & business data by applying FIPS 140-2 certified app-level encryption.
  • 39.
    Conclusions ● Secrets arean important tool for any container-based architecture because they help us achieve the goal of keeping code and configuration separate. ● Manage secrets in secure storage