Created
June 1, 2021 04:24
-
-
Save bibekgupta3333/db804658bfd3153f46a58913fb7cfb0e to your computer and use it in GitHub Desktop.
Encrypted Credentials and credential storage for Docker Login
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduction | |
When we run docker login, we will often see a warning message that our password is saved encrypted | |
in the Docker configuration file. | |
The warning might be ignored if the account and password to the operating system is not shared | |
with others. However, if it is a shared account, docker login might put your docker account | |
and password in danger. If we check the JSON file, we would find there is an unencrypted | |
representing our password there. | |
$ docker login | |
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a | |
Docker ID, head over to https://hub.docker.com to create one. | |
Username: bibek | |
Password: | |
WARNING! Your password will be stored unencrypted in /home/leimao/.docker/config.json. | |
Configure a credential helper to remove this warning. See | |
https://docs.docker.com/engine/reference/commandline/login/#credentials-store | |
Login Succeeded | |
# Passwork saved as an unencrypted string in "auth". | |
$ cat /home/bibek/.docker/config.json | |
{ | |
"auths": { | |
"https://index.docker.io/v1/": { | |
"auth": "xxxxxxxxxxxxxxxxxxxxxxxx" | |
} | |
}, | |
"HttpHeaders": { | |
"User-Agent": "Docker-Client/19.03.12 (linux)" | |
} | |
} | |
# Docker logout to remove the saved credentials. | |
$ docker logout | |
What we need to do is to follow the credentials store guideline from Docker, install and | |
configure one of the credentials helpers, and encrypt our password. | |
In this blog post, I would like to briefly go over the credentials encryption set up | |
for docker login. | |
Docker Login Credentials Encryption | |
In my case, because I am a Linux user, so I chose to use pass as my credentials helper. | |
$ cat /home/bibek/.docker/config.json | |
{ | |
"auths": {}, | |
"HttpHeaders": { | |
"User-Agent": "Docker-Client/19.03.12 (linux)" | |
} | |
} | |
# Install the standard Unix password manager. | |
$ sudo apt-get install pass | |
# Download and install docker-credential-pass. | |
# The latest version is v0.6.3. | |
$ cd ~/Downloads/ | |
$ wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.3/docker-credential-pass-v0.6.3-amd64.tar.gz | |
$ tar -xvf docker-credential-pass-v0.6.3-amd64.tar.gz | |
# Open ~/.bashrc to modify the $PATH or move the docker-credential-pass to the $PATH. | |
$ echo 'export PATH=$PATH:~/bin' >> ~/.bashrc | |
$ sudo rm /usr/bin/docker-credential-pass | |
$ sudo mv docker-credential-pass /usr/bin/ | |
$ chmod +x /usr/bin/docker-credential-pass | |
# Docker credentials helper have no credentials saved yet. | |
$ docker-credential-pass list | |
{} | |
# This might be necessary if the following step hangs forever. | |
# $ sudo apt-get install rng-tools | |
# Generate encryption keys. | |
$ gpg --generate-key | |
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. | |
This is free software: you are free to change and redistribute it. | |
There is NO WARRANTY, to the extent permitted by law. | |
Note: Use "gpg --full-generate-key" for a full featured key generation dialog. | |
GnuPG needs to construct a user ID to identify your key. | |
Real name: bibek | |
Email address: bibekgupta@gmail.com | |
You selected this USER-ID: | |
"bibek <bibekgupta@gmail.com>" | |
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O | |
# Following the instruction to reate the password to the user ID. | |
# Initialize the password manager for the encryption key. | |
$ pass init bibekgupta@gmail.com | |
mkdir: created directory '/home/bibek/.password-store/' | |
Password store initialized for bibekgupta@gmail.com | |
$ cat /home/bibek/.password-store/.gpg-id | |
bibekgupta@gmail.com | |
# Add "credsStore": "pass" to the JSON file. | |
# So that Docker knows it has to use docker-credential-pass to manage credentials. | |
$ vim ~/.docker/config.json | |
# Now we could safely login. | |
$ docker login | |
Login with your Docker ID to push and pull images from Docker Hub. If you don't | |
have a Docker ID, head over to https://hub.docker.com to create one. | |
Username: bibek | |
Password: | |
Login Succeeded | |
$ docker-credential-pass list | |
{"https://index.docker.io/v1/":"leimao"} | |
# The password is no longer saved in the Docker configuration. | |
$ cat ~/.docker/config.json | |
{ | |
"auths": { | |
"https://index.docker.io/v1/": {} | |
}, | |
"HttpHeaders": { | |
"User-Agent": "Docker-Client/19.03.12 (linux)" | |
}, | |
"credsStore": "pass" | |
} | |
Caveats | |
If we happen to screw anything up, we could restart by deleting the related files. | |
$ rm -rf ~/.docker/ ~/.password-store/ ~/.gnupg/ | |
In some scenarios, especially when we SSH remotely, even with the Docker | |
credentials helper correctly set up, we might still not be able to access | |
the content in the Docker registry. | |
$ docker pull bibek/xxxxx:1.0 | |
Error response from daemon: pull access denied for bibek/xxxxx, repository does | |
not exist or may require 'docker login': denied: requested access to the resource | |
is denied | |
This is because gpg was not correctly invoked. This could be resolved by setting | |
the environment variable GPG_TTY. | |
$ export GPG_TTY=$(tty) | |
If you are curious about what tty is, you might check via the following command. | |
$ tty --help | |
Usage: tty [OPTION]... | |
Print the file name of the terminal connected to standard input. | |
REFERENCE | |
- [docker-credential-store]('https://docs.docker.com/engine/reference/commandline/login/#credentials-store') | |
- [How to Initialize Docker-Credentials-Pass]('https://github.com/docker/docker-credential-helpers/issues/102') | |
- [Docker Login Succeeded, Docker Pull Failed]('https://github.com/docker/docker-credential-helpers/issues/158') | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment