Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL

PAL is your pal: Bootstrapping secrets in Docker

Nick Sullivan (CloudFlare)
11:20–12:00 Thursday, 10 November, 2016
Tech, tools, and processes
Location: G103 Level: Intermediate
Average rating: ****.
(4.75, 4 ratings)

Prerequisite knowledge

  • Experience managing containerized software deployment on Linux
  • Familiarity with Docker

What you'll learn

  • Explore PAL and learn how it can be used to bolster the security of your Docker container deployments


Many services that run in Docker containers need to have access to highly sensitive secrets—examples include SSL certificates and API keys. Services like Vault and Keywhiz were developed to manage secrets to central authority; however, most of these secret management services require a secret to already be present. This presents a bootstrapping problem. To solve this, CloudFlare created PAL, a new tool for bootstrapping secrets in Docker containers.

PAL (permissive action link—named after a tool used to prevent unauthorized detonation of nuclear devices) works by binding identity secrets to Docker containers and decrypting them at launch time through a service running on the host. Permissions require M of N authorization and are handled through a service called Red October. This allows you to simply and transparently bootstrap service-specific secrets.

Nick Sullivan describes the design and implementation of this service and explains how CloudFlare uses it to protect secrets for its billing platform and private key infrastructure. Nick concludes by exploring CloudFlare’s plans to use PAL for service-to-service authorization.

Photo of Nick Sullivan

Nick Sullivan


Nick Sullivan is a leading cryptography and security technologist. He currently works on cryptographic products and strategy for CloudFlare. Previously, Nick held the prestigious title mathemagician at Apple, where he encrypted books, songs, movies, and other varieties of mass media.