XtraSecurity + Docker Integration

Manage secrets in Docker containers using XtraSecurity.

Quick Start

Using Docker Run

# Fetch secrets first
xtra get database_url > /tmp/.env
xtra get api_key >> /tmp/.env

# Run container with secrets
docker run \
  --env-file /tmp/.env \
  -e XTRA_API_KEY="sk_live_xxx" \
  myapp:latest

Docker Compose

version: '3.9'

services:
  app:
    image: myapp:latest
    environment:
      XTRA_API_KEY: ${XTRA_API_KEY}
      DATABASE_URL: ${DATABASE_URL}
      API_KEY: ${API_KEY}
    env_file:
      - .env.production
    ports:
      - "3000:3000"
    depends_on:
      - postgres
  
  postgres:
    image: postgres:15
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
    volumes:
      - postgres_data:/var/lib/postgresql/data

volumes:
  postgres_data:

.env File Management

# Fetch all secrets into .env
xtra export --format env > .env.production

# Don't commit .env files
echo ".env.production" >> .gitignore

Advanced: Custom Entrypoint

Create entrypoint.sh:

#!/bin/bash
set -e

# Fetch secrets on startup
xtra get database_url > /run/secrets/db_url
xtra get api_key > /run/secrets/api_key

# Export as environment variables
export DATABASE_URL=$(cat /run/secrets/db_url)
export API_KEY=$(cat /run/secrets/api_key)

# Start application
exec "$@"

Update Dockerfile:

FROM node:18

WORKDIR /app
RUN npm install -g @xtrasecurity/cli

COPY entrypoint.sh /
RUN chmod +x /entrypoint.sh

COPY . .
RUN npm install

ENTRYPOINT ["/entrypoint.sh"]
CMD ["npm", "start"]

Security Best Practices

1. Never hardcode secrets in Dockerfile
2. Use ARG for build-time values only
3. Exclude .env from Docker builds
4. Rotate API keys monthly
5. Use read-only mounts for secrets