Build & maintain complex distributed systems
October 1–2, 2017: Training
October 2–4, 2017: Tutorials & Conference
New York, NY

Your (container) secret's safe with me

Liz Rice (Aqua Security)
1:30pm2:10pm Tuesday, October 3, 2017
Average rating: ****.
(4.67, 3 ratings)

Who is this presentation for?

  • DevOps engineers and security engineers

Prerequisite knowledge

  • A working knowledge of Linux and simple commands like ls and ps
  • Familiarity with containerization and orchestration concepts (e.g., when you run a container under an orchestrator, it's up to the orchestrator to pick a machine in the cluster where it will run)

What you'll learn

  • Understand some of the ways that your secrets can be placed at risk, especially under default settings
  • Learn some practical approaches to mitigate those risks


The 12-Factor App manifesto has trained us to pass configuration information into containers in the form of environment variables. In many cases, that config information includes secrets, such as passwords and certificates that allow containers to identify and communicate with each other. If those secrets are leaked, an attacker has information that could enable a serious system compromise.

Liz Rice outlines some of the ways that your secrets are more accessible than you might think. For example, did you know that any environment variable in a container is easily accessible from the host machine? Liz covers approaches for encrypting your secrets and explains how these can be set up under orchestrators like Docker Swarm and Kubernetes, including key management systems and key rotation.

Actions speak louder than words, so Liz will also dig into the technical details with live demonstrations. She’ll:

  • Show how plain-text environment variables are accessible to the host through the /proc pseudo-filesystem;
  • Demonstrate how orchestrators like Docker Swarm and Kubernetes pass secret information around in a deployment and discuss the pros and cons of their approaches, including whether the information is encrypted in transit or at rest;
  • Illustrate key rotation and key management systems like HashiCorp Vault.

Liz concludes by sharing a checklist of things to address to keep your container secrets secure.

Photo of Liz Rice

Liz Rice

Aqua Security

Liz Rice is the technology evangelist at container security specialists Aqua Security and coauthor of the O’Reilly report Kubernetes Security. She has a wealth of software development, team, and product management experience from her years spent working on network protocols and distributed systems and in digital technology sectors such as video on demand (VOD), music, and voice over internet protocol (VoIP). When not building startups and writing code, Liz loves riding bikes in places with better weather than her native London or racing in virtual reality on Zwift.