How to set up secure local credential storage for Docker on Ubuntu 20.04

How to set up secure local credential storage for Docker on Ubuntu 20.04

Problem:

Need to have secure local storage for Docker login credentials configured via Unix pass tool. When executing docker login command, by default it stores credentials in ~/.docker/config.json file in base64 format, which is not a secure way.

Prerequisites:

  1. Ubuntu 20.04
  2. If Docker was installed via Snap package manager uninstall it with: snap remove docker command
  3. To list installed Snap packages use: snap list command
  4. Install Docker on Ubuntu with the following commands:
    • sudo apt update
    • sudo apt install apt-transport-https ca-certificates curl software-properties-common --> install a few prerequisite packages which let apt use packages over HTTPS
    • curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - --> add the GPG key for the official Docker repository to your system
    • sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable" --> add the Docker repository to APT sources
    • apt-cache policy docker-ce --> Make sure you are about to install from the Docker repo instead of the default Ubuntu repo
    • sudo apt install docker-ce --> install Docker
    • sudo systemctl status docker --> Docker should now be installed, the daemon started, and the process enabled to start on boot. Check that it’s running
    • docker version --> Confirm Docker version
  5. Make docker commands execute without sudo:
    • sudo usermod -aG docker ${USER} --> add your username to the docker group:
    • su - ${USER} --> To apply for the new group membership, log out of the server and back in
    • groups --> Confirm that your user is now added to the docker group

Setup secure credential storage for Docker:

  1. Install rng-tools: sudo apt-get install rng-tools -y
  2. The rng-tools is a set of utilities related to random number generation in kernel. The main program is rngd, a daemon developed to check and feed random data from hardware device to kernel entropy pool.
  3. Generate the required entropy with the command: sudo rngd -r /dev/urandom
  4. Install the pass tool with the command: sudo apt-get install pass -y
  5. Generate a new GPG key: gpg --full-generate-key. Answer the interactive setup questions. Setup passphrase for the new key.
  6. Create a new directory: mkdir ~/bin
  7. Cd into created directory: cd ~/bin
  8. Add the directory to your PATH env vaiable: echo 'export PATH=$PATH:~/bin' >> ~/.bashrc
  9. Download docker-credential-pass with the following command: wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.3/docker-credential-pass-v0.6.3-amd64.tar.gz
  10. Extract files: tar xvzf docker-credential-pass-v0.6.3-amd64.tar.gz
  11. Give the new file proper permissions with: chmod a+x docker-credential-pass
  12. Copy the executable with the command: sudo cp docker-credential-pass /usr/local/bin
  13. Logout and login into Docker server: docker logout and docker login
  14. Create a new directory: mkdir ~/.docker
  15. Locate your GPG id associated with credential storage: gpg --list-secret-keys or gpg --fingerprint [your_email_set_during_key_creation]
  16. Initialize the pass tool with the command: pass init [your_gpg_id_string_in_hex_format]
  17. Create password for credential storage with the command: pass insert docker-credential-helpers/docker-pass-initialized-check
  18. Once your password is generated, create a new configuration file with the command: sudo vim ~/.docker/config.json
  19. Add the following content to the new file, save and close:
    {
      "credsStore": "pass"
    }
    
  20. Finally login to the Docker with the command docker login and check if WARNING message disappeared

Reference:

  1. Docker credentials store
  2. Issue with the execution of docker-credential-pass for Docker snap
  3. https://phoenixnap.com/kb/snap-packages
  4. How To Install and Use Docker on Ubuntu 20.04
  5. Unix pass tool