According to the official docs https://docs.docker.com/engine/swarm/configs/:
Configs operate in a similar way to secrets, except that they are not encrypted at rest…
The config is stored in the Raft log, which is encrypted.
I understand that I can see the contents of a docker config with docker inspect using the -pretty option:
docker config inspect my_config –pretty
where as the similar command with secrets do not expose the secret value
docker secret inspect my_config --pretty
On the other hand, in both cases I can connect to the container and expose the config and the secret respectively:
docker exec -ti 9ee94f84943e cat /etc/grafana/grafana.ini or
docker exec -ti 9ee94f84943e cat /run/secrets/grafana_admin
So what is the case here? When we are talking about encryption/security what more do actually docker secrets provide compared to docker configs?
There are numerous cases where a config file could contain sensitive data.
My design goes like this:
- Store the sensitive data encrypted in git (e.g. ansible vault)
- Store a template of the configuration in git
- Ansible to decrypt the vault and instantiate the template in memory
- Ansible to feed the configuration (now including the sensitive data) to docker config create
- Declare the config name and targeted path inside the container in the docker-compose file
- docker stack deploy the stack based on the docker-compose file
That is quite flexible as I can feed to the containers different ‘flavours’ of configuration (with or without sensitive data) at runtime depending on the targeted environments (e.g. dev, production). And that is without changing the service or rebuilding an image.
If I am to do this with docker secrets I will have to either change the service to read sensitive data from specific files (under /run/secrets/) or inject into the image a script that will run before the actual service (Dockerfile entrypoint) and will actually read the secrets and modify accordingly the configuration files inside the container.
The approach with the docker config is way more elegant. Though I am not sure about the security aspect.