Skip to content

Use container secrets securely #2270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
itoffshore opened this issue May 14, 2025 · 2 comments · May be fixed by #2271
Open

Use container secrets securely #2270

itoffshore opened this issue May 14, 2025 · 2 comments · May be fixed by #2271
Labels
enhancement needs triage Waiting for discussion / prioritization by team

Comments

@itoffshore
Copy link

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

When running a container with DOCKER_STEPCA_INIT_PASSWORD_FILE set the Docker entrypoint.sh cat's the password file to /home/step/secrets/password & the file is world readable:

stepca:~$ ls -l secrets
total 516
-rw-------    1 step     step           314 May 14 00:03 intermediate_ca_key
-rw-r--r--    1 step     step        511875 May 14 00:02 password
-rw-------    1 step     step           314 May 14 00:03 root_ca_key
-rw-------    1 step     step           314 May 14 00:03 ssh_host_ca_key
-rw-------    1 step     step           314 May 14 00:03 ssh_user_ca_key

Why is this needed?

  • For containers at least, a symlink is a better solution (which also works perfectly) - as the secret will usually be mounted in the container under /run/secrets/xxx with explicit permissions (possible in both docker & podman). This will work with the Dockerfile expecting to find the hardcoded /home/step/secrets/password & a container secret named anything.

  • Moving the symlink creation out of init to run every time DOCKER_STEPCA_INIT_PASSWORD_FILE is set is probably also recommended for cases where the container is run with a different password file location.

  • Am willing to make a PR if you agree with this approach.

  • Running stepca with a 378,000 char podman secret works ok - example.

  • I can also add to the PR a podman quadlet example .container file & run command.
@itoffshore itoffshore added enhancement needs triage Waiting for discussion / prioritization by team labels May 14, 2025
@tashian
Copy link
Contributor

tashian commented May 14, 2025

Hi! I like the symlink approach and I'm curious how @jdoss and others on the team feel about it.

We just have to be aware of backward compatibility here, but it sounds like the symlink approach would not change any of the behavior outside of the init functionality. The CA would still read from /home/step/secrets/password on startup.

@itoffshore
Copy link
Author

A symlink seemed like the least intrusive approach & shouldn't break anything.

Also I thought leave DOCKER_STEPCA_INIT_PASSWORD_FILE as it is rather than using a DOCKER_STEPCA_PASSWORD_FILE environment variable (outside of the init function in entrypoint.sh)

(so you can just add a note to Docker Hub that DOCKER_STEPCA_INIT_PASSWORD_FILE is read on every run) - as I didn't see your Docker Hub readme in this repo

itoffshore added a commit to itoffshore/certificates that referenced this issue May 15, 2025
@itoffshore
Use container secrets securely
daceb44 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples
* fixes: smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 15, 2025
@itoffshore
Use container secrets securely
42b0a62 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples
* fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 15, 2025
@itoffshore
Use container secrets securely
08893b7 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
@itoffshore itoffshore linked a pull request May 15, 2025 that will close this issue
Open
itoffshore added a commit to itoffshore/certificates that referenced this issue May 16, 2025
@itoffshore
Use container secrets securely
c9b3454 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 16, 2025
@itoffshore
Use container secrets securely
88689aa 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 21, 2025
@itoffshore
Use container secrets securely
2f8e30d 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 21, 2025
@itoffshore
Use container secrets securely
71ef567 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 22, 2025
@itoffshore
Use container secrets securely
dd11516 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
40d226d 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
65675cb 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
44c026d 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
794de3e 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
90a43d2 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
90fdacb 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
e83bbea 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
00b0a1a 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
26bacfa 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
307f599 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 24, 2025
@itoffshore
Use container secrets securely
a5eaa57 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 25, 2025
@itoffshore
Use container secrets securely
7d95159 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 25, 2025
@itoffshore
Use container secrets securely
ca9ff0b 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 29, 2025
@itoffshore
Use container secrets securely
d1f1e0e 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 29, 2025
@itoffshore
Use container secrets securely
7d958d9 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 29, 2025
@itoffshore
Use container secrets securely
76f593c 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 29, 2025
@itoffshore
Use container secrets securely
2bce8ba 
* increases the default password length from 40 to 256 characters
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
itoffshore added a commit to itoffshore/certificates that referenced this issue May 29, 2025
@itoffshore
Use container secrets securely
4b6d1c6 
* adds a new ENV variable DOCKER_STEPCA_PASSWORD_FILE so the password file
  location can be changed
* adds set_password_files() to entrypoint.sh so /home/step/secrets/password
  becomes a symlink in containers pointing to DOCKER_STEPCA_INIT_PASSWORD_FILE
  & also DOCKER_STEPCA_PASSWORD_FILE so file permissions are retained
* adds podman example quadlet / run command with a 378,000 character secret
* small update to README.md for new podman examples / docker examples

Fixes smallstep#2270
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use container secrets securely itoffshore/certificates
2 participants
@tashian @itoffshore