paint-brush
Getting rid of Docker plain text credentialsby@frontside
22,833 reads
22,833 reads

Getting rid of Docker plain text credentials

by David RiegerMarch 8th, 2017
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

You might not be aware of it, but the <a href="https://hackernoon.com/tagged/docker" target="_blank">docker</a> engine stores the credentials you use with <code class="markup--code markup--p-code">docker login</code> in plain text in a file called <code class="markup--code markup--p-code">$HOME/.docker/config.json</code>. Well, granted, it’s not ASCII, it’s base64, which may look like encryption on first glance, <strong>but it’s not</strong>. Base64 is a scheme for encoding, not encryption. You can simply copy the base64 string and convert it to ASCII in a matter of seconds.

Company Mentioned

Mention Thumbnail
featured image - Getting rid of Docker plain text credentials
David Rieger HackerNoon profile picture

You might not be aware of it, but the docker engine stores the credentials you use with docker login in plain text in a file called $HOME/.docker/config.json. Well, granted, it’s not ASCII, it’s base64, which may look like encryption on first glance, but it’s not. Base64 is a scheme for encoding, not encryption. You can simply copy the base64 string and convert it to ASCII in a matter of seconds.

OMG, I’m strongly concerned about the secrecy of my passwords, what should I do?

I’m glad you asked. Thankfully, docker offers credential helpers, which will use your operating system’s native credential store instead of config.json.

Download the archive containing the helper for your operating system from Github and unpack it to **/usr/local/bin**. Don’t forget to make it executable.

If you are on Linux this should work for you to install verison 0.4.2 of the helper (you will need to be root):

wget https://github.com/docker/docker-credential-helpers/releases/download/v0.4.2/docker-credential-secretservice-v0.4.2-amd64.tar.gz && tar -xf docker-credential-secretservice-v0.4.2-amd64.tar.gz && chmod +x docker-credential-secretservice && mv docker-credential-secretservice /usr/local/bin/

Once that’s done, open **~/.docker/config.json** and add a **credsStore** key to the JSON object’s root. The value will be the name of the credential storage service. This is basically the word after the last hyphen of the executable you just installed. For Linux, the executable is called docker-credential-secretservice, so the service name is secretservice.

If you are on Linux and trust my sed skills you could try and run

sed -i '0,/{/s/{/{\n\t"credsStore": "secretservice",/' ~/.docker/config.json

From this point forward, docker will use the external service to store your credentials for docker login <url>. To get rid of the ones that are already in the file, simply docker logout <url>.


**Reference**Official Documentation on docker login.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.

To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.

If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!