Can I safely write secrets to /dev/shm and delete them in the middle of a RUN command without them being exposed in the image?

Like the title says, I’m wondering if I can write secrets (mounted using Docker secrets) to files in /dev/shm, use them in the middle of a RUN command, and then delete them. Is there any chance the secrets would then be exposed in the image? The reason I want to do this is that I can’t find another satisfactory solution to the problem of writing a Dockerfile that accepts a variable number of SSH keys (my idea is to pass them in a single JSON file, write them to /dev/shm one by one so ssh -i works on them, then delete them as soon as I’ve used them).

Hello!

To answer your question, writing secrets to /dev/shm is generally considered safe because /dev/shm is a RAM disk, which means it exists only in memory and not on the host file system. Therefore, when the Docker container is stopped, the contents of /dev/shm are erased and not saved in the image or on the host.

However, I must caution you that using a temporary location like /dev/shm for secrets may still pose some security risks. If an attacker gains access to the running container, they may be able to access the secrets stored in /dev/shm. Therefore, it’s essential to ensure that your container’s security is properly configured and that only authorized users can access it.

Regarding your idea of passing SSH keys in a single JSON file and writing them to /dev/shm, it’s worth noting that there may be better ways to manage SSH keys securely in a Docker environment. For example, you could use environment variables to pass in the keys, which are then loaded into the container at runtime. Alternatively, you could use a Docker volume to store the keys outside the container, which can be mounted securely during runtime.

Overall, while writing secrets to /dev/shm and deleting them in the middle of a RUN command may be possible, it’s important to ensure that your container’s security is properly configured, and that the secrets are managed securely to prevent unauthorized access.

I hope that helps!

Thanks for your reply! I think I didn’t clearly explain my problem: The SSH keys are actually only used during build time to pull git repositories, and mounted as Docker build secrets, so the goal is to make them completely irretrievable to anyone in a running container or saved image; thus mounting them as volumes, e.g., would be unnecessary and unwanted, and the only risk should in theory be if the attacker has access to the container or its environment variables while it is building (my pre-build script loads the JSON file and converts it into an environment variable for passing as a secret).

Looks like RUN --mount=type=secret or RUN --mount=type=ssh could be useful in your scenario.
Those secrets are only available during build time are not persisted in the final image.

I’m using RUN --mount=type=secret; my issue is that you can only specify files that way one at a time and I want the Dockerfile to accept an arbitrary number of keys. So I was wondering if I could pass one file that contains multiple keys and safely write the keys one at a time to /dev/shm for use with ssh -i.