I have a Docker registry deployed on a server, where multiple persons can login as root. This local registry is used to pull and push Docker images in a remote registry hosted in an Artifactory instance. However, whenever a person makes a docker login to an Artifactory repository with its credentials, Docker stores his/her credentials unencrypted in a base64 encoding in ~/.docker/config.json. Since the host of the local Docker registry is accessible from multiple persons, it puts his/her credentials at risk from others.
I searched and found alternatives to resolve this problem. According to docker login documentation, the Docker Engine can keep user credentials in an external credentials store using an external helper program. From the list of currently available credentials helpers, I chose pass one. I followed the instructions followed by other users here, and I successfully created a directory under ~/, where every credential could be stored encrypted:
[root@hostname ~]# ls -a .password-store/
. .. .gpg-id
[root@hostname ~]# pass
Password Store
It didn't take me long to realise that this didn't actually solve my problem. Let me explain. By running docker login for the first time after the above setup, the following directories were created:
[root@hostname ~]# docker login repository-name.artifactory-url
Username: myUserName
Password:
[root@hostname ~]# pass
Password Store
└── docker-credential-helpers
└── cmVwb3NpdG9yeS1uYW1lLmFydGlmYWN0b3J5LXVybA==
└── myUserName
The password is now encrypted in myUserName.gpg file under ~/.password-store/docker-credential-helpers/cmVwb3NpdG9yeS1uYW1lLmFydGlmYWN0b3J5LXVybA==/ directory, using the private key which corresponds to gpg-id included in ~/.password-store/.gpg-id file.
If a second person executes docker login as above, his/her credentials will be encrypted with the same private key as before. And then of course decrypted with the same public key. This is because docker automatically saves every new password under the same directory, ~/.password-store/docker-credential-helpers/, using always ~/.password-store/.gpg-id file. If every person had his/her credentials stored under a different path, then an alternative .gpg-id file would be used for him/her, and thus a different private-public key pair.
Has anyone an idea how to overcome either the problem with the unencrypted credentials in ~/.docker/config.json, or the problem with pass utility I described?
My OS is a CentOS Linux release 7.9.2009.