如何使用我的 gpg 密钥解密 docker 容器中的文件而不将其保存在图像中?
[英]How do I use my gpg key to decrypt a file in a docker container without saving it in the image?
问题描述
I'm using airflow and the dockerOperator to connect to a docker daemon and spin up a container.
我正在使用气流和 dockerOperator 连接到 docker 守护进程并启动一个容器。
As part of my pipeline this container needs to decrypt a file using gpg.作为我的管道的一部分,这个容器需要使用 gpg 解密文件。
If I copy the gpg key in during docker build then it will be apart of the image forever, this feels insecure?如果我在 docker build 期间复制 gpg 密钥,那么它将永远与图像分开,这感觉不安全吗?
I have investigated whether or not I can put the key into an environment variable and pass it in that way ie through dockers -e VAR:VAL syntax.我已经调查过我是否可以将密钥放入环境变量中并以这种方式传递它,即通过 dockers -e VAR:VAL语法。 The only other way I can think of is to mount my local .gnupg file into the container and use that, however this will only work while I'm on my local machine.我能想到的唯一另一种方法是将我的本地.gnupg文件挂载到容器中并使用它,但是这只在我在本地机器上时才有效。 I want to be able to migrate to ECS or kubernetes at some stage.我希望能够在某个阶段迁移到 ECS 或 kubernetes。
1 个解决方案
解决方案1
1 已采纳 2019-07-02 09:18:55
You are correct in saying, that adding the key during docker build is insecure.您说得对,在 docker build 期间添加密钥是不安全的。
The env var is a valid way. env var 是一种有效的方式。 If you use kubernetes later, you can safely save the your key as a secret in kubernetes.如果您以后使用 kubernetes,您可以安全地将您的密钥保存为 kubernetes 中的秘密。 When deploying you can provide a secret via env to a container.部署时,您可以通过 env 向容器提供机密。
You could also provide a secret as a file from a kubernetes secret by using a volume, and mount a volume locally and provide the key file.您还可以通过使用卷从 kubernetes 秘密中提供秘密作为文件,并在本地安装卷并提供密钥文件。
These are the official docs for kubernetes secrets: https://kubernetes.io/docs/concepts/configuration/secret/这些是 kubernetes 秘密的官方文档: https ://kubernetes.io/docs/concepts/configuration/secret/
I am not familiar with ECS, but I am positive that there are similar ways.我不熟悉 ECS,但我肯定有类似的方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.