When using a image repository in an enterprise, you usually need to enable authentication, and the authentication credentials may be a common account for users in the enterprise. However, after docker login, the username and password after base64 will be saved in .docker/config.json, so that on some servers used by many people, there will be a problem of account leakage.

Is there a solution for this?

docker provides credentials store, which means that passwords are stored in an external credentials store.

The following are currently supported.

For linux servers, the only option is to pass, because D-Bus requires X11 support, and Apple and Microsoft just don’t look like they’re meant for Linux.

Here are the configuration steps.

  1. Install gnupg2 and pass

    1

    sudo apt install gnupg2 pass

  2. Install docker-credential-pass

    The following is the download address for version 0.6.3, which is docker-credential-pass for amd64 (not the above pass).

    1

    wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.3/docker-credential-pass-v0.6.3-amd64.tar.gz

    After downloading, unzip and copy the docker-credential-pass file to the /usr/bin/ directory and add executable permissions.

  3. Log out of docker hub

    1
2

    $ docker logout
Removing login credentials for https://index.docker.io/v1/

  4. modify the docker configuration, add "credsStore": "pass"

    1
2
3

    $ cat ~/.docker/config.json 

{ "auths": {}, "redsStore": "pass", "HttpHeaders": { "User-Agent": "Docker-Client/19.03.6 (linux)" } }

  5. gpg2

    Generate GPG keypaire. remember the password set here, this password is used to save the docker password.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

    $ gpg2 --full-generate-key
gpg2 --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
...

    Once generated, you can view it as gpg2 -k.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10

    $ gpg2 -k
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/bottle/.gnupg/pubring.kbx
-------------------------------
pub   rsa3072 2020-06-20 [SC]
    4B65C16E5349EC64D77A9EB1C1E8818FCC8126B8
uid           [ultimate] silenceshell <me@ieevee.com>
sub   rsa3072 2020-06-20 [E]

  6. Initialize pass

    1
2
3

    $ pass init me@ieevee.com
mkdir: created directory '/home/bottle/.password-store/'
Password store initialized for me@ieevee.com

  7. docker login

    After login, check .docker/config.json, you can see that the auths does not save username and password information.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10

    $ cat ~/.docker/config.json
{
    "auths": {
        "https://index.docker.io/v1/": {}
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/19.03.6 (linux)"
    },
    "credsStore": "pass"
}

After that, you can use that user’s identity to perform subsequent operations with docker.