2

I have an application running inside a Docker container, which is continuously being pushed to an Azure Container Registry. As part of the pipeline I am using the step:

docker login <Docker Server> -u <Username> -p <Password>

When my pipeline is running this step, I get the following warnings:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Should I do something about this, and do you have any proposed solutions?

Jacobian2450
  • 21
  • 1
  • 3
  • 1/2) Implementing strong security requires knowing what you are securing (Docker credentials) and where the credentials are being stored - location, environment, OS and file system at a minimum and which security features the application (Docker) uses. Then you must evaluate the risks you are trying to minimize. Stealing your computer requires different strategies than reading what you type at your monitor or access to secrets from backups, etc. – John Hanley Sep 19 '21 at 22:56
  • 2/2) a) start with the security of the environment and the location. b) secure the operating system. c) encrypt the file system. d) use application security features such as encrypting your Docker credentials with helpers. The final strategy is up to you and how much time, money and inconvenience you can accept. – John Hanley Sep 19 '21 at 22:57

1 Answers1

1

After you log in to your private image registry with the Docker login command, a warning is displayed that indicates that your password is stored unencrypted.

Causes

By default, Docker stores the login password unencrypted within the /root/.docker/config.json Docker configuration file. This is the default Docker behavior.

Resolving the problem

You can store your user credentials in an external credentials store instead of within the Docker configuration file. Storing your credentials in a credentials store is more secure than storing the credentials in the Docker configuration file. For more information.

According to docker documentation:

To run the docker login command non-interactively, you can set the --password-stdin flag to provide a password through STDIN. Using STDIN prevents the password from ending up in the shell’s history, or log-files.

The following examples read a password from a file, and passes it to the docker login command using STDIN:

$ cat ~/my_password.txt | docker login --username foo --password-stdin

OR

$ docker login --username foo --password-stdin < ~/my_password.

The following example reads a password from a variable, and passes it to the docker login command using STDIN:

$ echo "$MY_PASSWORD" | docker login --username foo --password-stdin

Reference: Docker: Using --password via the CLI is insecure. Use --password-stdin

https://www.ibm.com/docs/en/cloud-private/3.2.0?topic=login-docker-results-in-unencrypted-password-warning

RahulKumarShaw
  • 4,192
  • 2
  • 5
  • 11