From what I understand, Docker secrets and mounts (bind and volume) are all secure ways of managing secrets within a Docker container. I am wondering whether secrets has any security advantages?
I have an arbitrarily sized group of secrets. The secrets are kept in separate files in a folder. They periodically and automatically change. I want to make all of them available to a Docker container. Using a bind mount, I can mount their folder and they will all be accessible. Using secrets, I would have to specify each one in the Docker Compose file, increasing coupling and reducing maintainability. Is there any reason I should choose to go with secrets at the cost of maintainability?
Some time has elapsed, and I have become a little stronger, so I will now take a crack at this one.
Yes, Docker secrets can be slightly more secure, depending. However, unless you have strict company security requirements you probably don't care, and if you do then you probably already know this.
What you are looking to get is pretty much encryption.
In the Compose case, you can have secrets encrypted on disk on the outside (host) using secrets management software. For example using the incredible sops,
sops exec-env secrets.sops.env 'docker compose up -d'
In this case, encrypted secrets on disk in secrets.sops.env are unencrypted in memory, read into env vars, and made available only to the argument process.
compose.yaml
secrets:
MY_ENV_VAR:
environment: MY_ENV_VAR
The argument process (docker compose) receives them and adds them to the container's disk (unencrypted in container). To assess them at this stage, evaluate the security of the container itself (insulation from host, how container data is stored, etc). I haven't looked into this.
Note that to keep them off container disk, you would do that step (decryption) between the container and the program to run or even inside the program, instead of between the host and the container. But, this would require custom images with e.g. sops installed or tightly coupled app code, respectively - a bit more effort, code, and coupling to maintain.
In the Swarm case (I've still never used Swarm, and would probably use K8S instead), from the docs,
Secrets are encrypted during transit and at rest in a Docker swarm. A given secret is only accessible to those services which have been granted explicit access to it, and only while those service tasks are running.
My interpretation of this is that things are even more secure than the previous sops example because we might get more encryption in transit [from disk to container]. Similar thing going on here though.
At the end of the day we can say that this is a security/complexity tradeoff.