Securing Sensitive Details of Your Containerized Docker Applications

Nothing to see here!!!

When building applications using frameworks like Nodejs it's easy enough to implement dotenv libraries which give you the ability to pull in your environment specific and other config data when running the application from a .env file. It is also important that this data is kept away from your repositories and within the images of your docker package repositories not only taking your development environment into consideration but also in a way that ensures that info is kept safe during deployment to test and production environments. A popular example of such an implementation would look something like below which works great for dev environments but when deploying to the test environments simply don't work.

The .env file

config/environment data

The code

When using docker-compose to build the environment from the docker image the parameters in the .env file are simply not transferred into the container resulting in errors when bringing up the environment. The fix for this requires a few modifications to the code and the docker-compose file

Updated code

With containerization in mind.

Referencing the .env file in the docker-compose file as well as the environment parameters

Docker compose file referencing .env and environment parameters

And hey presto you have the ability to maintain separate config files for the different dev, test and production environments with minimal config changes and interventions during deployment when using docker-compose to build your environment.

This solution is not perfect because the PrivateKey and PublicKey still sit in the .env file but the hacker would have to be able to log onto the host machines to gain access to these detils. Another solution would be to use secrets but that's another story for another day.