A few years ago, using containers to run your applications came with a number of security tradeoffs compared to using virtual machines. As enterprises started adopting various container technologies faster than anybody expected, that became an issue and companies like Docker started making security a priority. For Docker especially, that work is starting to pay off. The company today announced that it now offers a container-native secrets management solution for Docker Datacenter that allows developers to safely make API keys, encryption keys and passwords available to their applications without having to use a third-party service.
As Docker security director Nathan McCauley told me, the traditional way of sharing these secrets generally involved copying it to a host or maybe integrating it directly into the source code. “Containers turned that upside down because the code could move arbitrarily — even to different infrastructure,” said McCauley. So people would either hack together their own solutions or use a third-party service like HashiCorp’s Vault.
Taking a shot at Docker’s container orchestration competitors, McCauley also argued that solutions that a simply bolted-on to these tools are inherently insecure. It’s worth noting, though, that Kubernetes also has built-in tools for managing secrets as well.
Docker’s solution lets you easily add the secret to your cluster (or a “swarm,” in Docker’s parlance). It’s only shared over mutually authenticated TLS connections and then stored securely on a manager node where it’s never written to disk unencrypted. You can find a few examples of how all of this works in practice here. The main idea here, though, is to ensure that all of this is very easy for developers to integrate and completely independent of the underlying infrastructure.
As Docker’s VP of Enterprise Marketing David Messina told me, the company now considers security one of its main selling points. He argues that the company wants to get to a point where enterprises choose Docker because it’s inherently more secure than other options, including existing legacy solutions. “It’s a thift. We always had these pillars of agility and portability, that’s why everybody gravitated to us, but we’re announcing that the third pillar is security,” he added.