hashicorp/docker-vault

Passphrase in container?

ingtarius opened this issue · 2 comments

ingtarius commented

Hello! How to pass passphrase into docker container at startup?
I try echo $PASSWD| server like this hashicorp/vault#7074
with no luck.

GPKyte commented

Since the docker image's entry point is a script, piped content does not directly reach the vault executable. The script does pass arguments, but does not seem to pass in piped content.

In vault version v1.13.2, running vault server when tls is enabled and the private key file is locked with a passphrase, the startup process prompts the CLI user for the TLS private key passphrase.
While this is not a hands-off approach usable in scripting, it fits my use case for now.

When I start a docker container from the hashicorp/vault image, I choose to open an interactive tty shell with the options -i and -t to ensure I can enter the passphrase being prompted at startup. For example, when I am one directory above the config folder that I want to mount into the Docker container for my preferred settings, I run this command.

docker run \
  --volume $(pwd)/config:/vault/config \
  --cap-add=IPC_LOCK \
  -p 8200:8200 \
  -i -t \
  hashicorp/vault server

The -i ensures that STDIN will be connected to the container's STDIN, where the -t starts a tty session so you can see the output, including the passphrase prompt.

GPKyte commented

The original goal is still

to supply a password during docker run and unlock this key file without any further interaction, the benefit is that this enables pipelines to deploy this container under this additional layer of security for the key file.

Without docker involved, unlocking the secret key file using a piped command into vault server is possible thanks to this PR and per this line of code in a dependency.

  1. In the docker container I started the vault server by grabbing my password silently
    read -s PWD
  2. Then by piping that $PWD variable into vault's sub-command server, with a config dir containing a customized local.json file for the server details, like the path to my passphrase protected server private key PEM file.
    echo $PWD | vault server -config /vault/config

The server starts as expected after decrypting the key file.

The challenge is that...

This feature is not supported in the docker-entrypoint.sh file. Although the script does account for many useful settings, zombie prevention, and additional arguments, it does not support sending STDIN to the vault command.

With minor edits, supplying the passphrase as an environment variable could be effective. By using the -e command flag, the password can remain in variable format during docker run and be used within the docker-entrypoint.sh file. At the end of this script is an exec call that can be prefaced by a echo command piping in the environment variable with the passphrase to unlock the secret key file.

With these changes, the developer may use the following command to run the container:

docker run \
  --volume /host/path/to/config:/vault/config \
  --cap-add=IPC_LOCK \
  -p 8200:8200 \
  -e "VAULT_TLS_KEY_PASSPHRASE=${PASS}" \
  hashicorp/vault server