Allow keypair to be mounted as docker secrets
lonix1 opened this issue · comments
Is your feature request related to a problem? Please describe.
The self hosted docker option allows to mount the keypair as file mounts:
volumes:
- ./id_ed25519:/data/id_ed25519:ro
- ./id_ed25519.pub:/data/id_ed25519.pub:roAlthough this works, it's not ideal for such sensitive secrets.
Describe the solution you'd like
Please consider allowing the keypair to be mounted as proper docker secrets:
secrets:
secret_private:
file: id_ed25519
secret_public:
file: id_ed25519.pub
services:
rustdesk:
secrets:
- secret_private
- secret_public
image: rustdesk/rustdesk-server-s6:latest
# ...Those secrets would be automatically mounted at the standard docker paths:
/run/secrets/secret_private
/run/secrets/secret_public
Then the app can load the secrets from those files directly.
So from rustdesk's perspective, the ONLY change is to read from /run/secrets/secret_private and /run/secrets/secret_public instead of /data/id_ed25519 and /data/id_ed25519.pub. That's it.
Describe alternatives you've considered
Mounting as file mounts, as shown above.
Additional context
Thanks for considering it.
If you want to PR the change or docs or anything please feel free and the devs can review the changes 😀
If you want to use docker (or k8s) secrets, please refer to this section of the readme.
Thank you @paspo I didn't see that part of the docs. I changed to docker secrets and it works perfectly!
One note though:
It seems the app copies the secrets from /run/secrets/key_priv and /run/secrets/key_pub to /data/id_ed25519 and /data/id_ed25519.pub, respectively.
Surely they should be read from the original path only? The two paths have different attack surfaces, so this behaviour is circumventing the docker secrets mechanism.
Surely they should be read from the original path only? The two paths have different attack surfaces, so this behaviour is circumventing the docker secrets mechanism.
I agree with that.
Unfortunately this is not possible yet, because hbbr and hbbs binaries expects the key pair to be in specific files inside the current working directory.
That's why this scripts is going to copy the secrets in /data, by collecting from ENV or secrets; also, the start scripts for hbbs and hbbr doesn't have any parameter to specify the key location.
IMHO this can be resolved in 2 ways:
- (easier) add a command line parameter to both programs to specify the key location
- move the whole ENV management inside the binaries and add a couple of new ENV vars:
KEY_PUB_FILEandKEY_PRIV_FILE
It seems the app copies the secrets from
/run/secrets/key_privand/run/secrets/key_pubto/data/id_ed25519and/data/id_ed25519.pub, respectively.
How about a symbol link?
How about a symbol link?
My gut feeling tells me that it would basically be the same problem... BUT, I don't know for sure.
However, @paspo suggestion seems good. I've seen something like this in other apps:
secrets:
- key_priv:
filename: ./id_ed25519
- key_pub:
filename: ./id_ed25519.pub
services:
rustdesk:
secrets:
- key_priv
- key_pub
environment:
- RUSTDESK_PRIVATE_KEY: /run/secrets/key_priv # <-----
- RUSTDESK_PUBLIC_KEY: /run/secrets/key_pub # <-----
# ...The app would then read the secrets from files specified by those env vars.
just to frame this a little more, you can start hbbs like this:
hbbs -k IRvYWCnv72zAFBYO4LT9h5yUfqLQXG0/DVw68yFfr55UrtLfm6TjcOcvo+nLtscsA4VxvKcVJfJYC2rpi2R2DA==You don't even need a key file.
But this approach has a big disadvantage: you have the secret key dumped in every process list!
And BTW, the public key is also dumped on stdout at start, which is a minor issue, but still avoidable.