This is a continuation of our series describing our evolution of Shopify toward a Docker-powered, containerized data centre. Read the last post in the series here. One of the challenges along the road to containerization has been establishing a way to move application secrets like API keys, database passwords, and so on into the application in a secure way. This post explains our solution, and how you can use it with your own projects.
Overview
This article discusses the introduction of EJSON at Shopify, a library designed to securely manage application secrets in a Docker-powered environment. It addresses the challenges of secret management and outlines the motivation, implementation, and key management processes involved in using EJSON for encrypting sensitive data.
What You'll Learn
How to securely manage application secrets using EJSON
Why asymmetric encryption is beneficial for secret management
When to use Docker for containerized applications
Prerequisites & Requirements
- Understanding of Docker and containerization concepts
- Familiarity with command line utilities for encryption(optional)
Key Questions Answered
What are the main challenges in managing application secrets in Docker?
How does EJSON improve secret management compared to previous methods?
What is the process for decrypting secrets at runtime in Docker containers?
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Key Actionable Insights
1Implement EJSON in your projects to enhance the security of application secrets.Using EJSON allows developers to manage secrets securely without exposing sensitive information in Docker images, making it a valuable tool for any containerized application.
2Adopt asymmetric encryption for managing sensitive data to minimize access risks.By allowing developers to add or rotate secrets without providing them with decryption capabilities, you can significantly reduce the risk of credential leaks.
3Utilize version control for encrypted secrets to facilitate auditing and change tracking.Storing EJSON files in a git repository allows for clear visibility into changes made to secrets, aiding compliance and security audits.