Getting rid of Docker plain text credentials by@frontside

Getting rid of Docker plain text credentials

March 8th 2017 21,590 reads
Read on Terminal Reader
react to story with heart
react to story with light
react to story with boat
react to story with money
David Rieger HackerNoon profile picture

David Rieger

You might not be aware of it, but the docker engine stores the credentials you use with docker login in plain text in a file called $HOME/.docker/config.json. Well, granted, it’s not ASCII, it’s base64, which may look like encryption on first glance, but it’s not. Base64 is a scheme for encoding, not encryption. You can simply copy the base64 string and convert it to ASCII in a matter of seconds.

OMG, I’m strongly concerned about the secrecy of my passwords, what should I do?

I’m glad you asked. Thankfully, docker offers credential helpers, which will use your operating system’s native credential store instead of config.json.

Download the archive containing the helper for your operating system from Github and unpack it to **/usr/local/bin**. Don’t forget to make it executable.

If you are on Linux this should work for you to install verison 0.4.2 of the helper (you will need to be root):

wget && tar -xf docker-credential-secretservice-v0.4.2-amd64.tar.gz && chmod +x docker-credential-secretservice && mv docker-credential-secretservice /usr/local/bin/

Once that’s done, open **~/.docker/config.json** and add a **credsStore** key to the JSON object’s root. The value will be the name of the credential storage service. This is basically the word after the last hyphen of the executable you just installed. For Linux, the executable is called docker-credential-secretservice, so the service name is secretservice.

If you are on Linux and trust my sed skills you could try and run

sed -i '0,/{/s/{/{\n\t"credsStore": "secretservice",/' ~/.docker/config.json

From this point forward, docker will use the external service to store your credentials for docker login <url>. To get rid of the ones that are already in the file, simply docker logout <url>.

**Reference**Official Documentation on docker login.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.

To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.

If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!

react to story with heart
react to story with light
react to story with boat
react to story with money
. . . comments & more!