Key management during Docker build

While building we often require private keys to checkout repositories or access other required, access-restricted assets.

In this particular case it was a github checkout that required a private key to an account with access to the respective repository.

The requirements were:

  • The key must be present during the build process
  • There must not be any traces of the key left in the image after building
  • The privat key in question must not be accessible to anyone outside of the system operations crew

These are some suggestions that I found that fulfill all requirements:

Source: Docker Forums – Use private keys or secrets during build

Unfortunately it’s a long standing issue without one clear solution. See for instance https://github.com/docker/docker/issues/13490 56.

If all you need is SSH access to certain repositories one simple solution would be to git clone the repositories ahead of time (perhaps in some type of outer build script / Makefile) and then COPY them into the image in the Dockerfile. As of today there’s nothing like SSH agent which can run in containers though (at least without a few ugly or dangerous hacks).

So we could check out both repositories, using a privat key of the executing party (whether it’s a developer with her/his personal id_rsa or a CI system like Jenkins that uses its own id_rsa to check out both repositories to specific locations). Then we would use a Dockerfile to put the required repository into the container without the need of using a private key.

However, the issue is still in discussion since 2015 as in the above mentioned github issue: https://github.com/moby/moby/issues/13490