#Raspberry Pi: Encrypt (and save) Docker credentials
Raspberry Pi, Single-board Computers | 4 min | 10408
Usually, I login to different Docker registries (local, Docker Hub, etc.) with a computer running Ubuntu. I execute once
docker login, then I enter the username and password, and after restarting the system, the access data is still available. That means, I write the credentials only once. But, on the Raspberry Pi, it was different until today: I needed to write the login credentials every time I booted the board.
This article helps you to install the needed tools to save Docker login credentials on the Raspberry Pi, but not as plain text, so that the next time that you reboot the Raspberry the data access is still available and you don't need to type it again!
To do that, you need the Docker credential helpers, which will use your operating system’s native credential store instead of the file
~/.docker/config.json. But on the Raspberry Pi, you need to install a credential storage and compile the credential helpers (the compiled releases are only for amd64 systems).
This is what I will try to accomplish in this tutorial:
- Install the pre-requisites for the Docker credential helpers, credential manager and key,
- Install the Docker crendential helpers,
- Generate a (encrypted) key for the credential manager,
- Initiate a credential manager/storage,
- Login into Docker Hub.
Connect to the Raspberry Pi using a
sshtunel and type the following on the terminal:
sudo apt install gnupg2 pass
gnupg2is used to encrypt data and to create digital signatures and
passis the standard unix password manager.
Docker credential helpers
golangto compile the Docker credential helpers:
# install golang and define PATH sudo apt-get install golang mkdir /home/pi/go export GOPATH=/home/pi/go # download the docker-credential-helpers repository cd $GOPATH go get github.com/docker/docker-credential-helpers # compile docker-credential-pass and cd $GOPATH/src/github.com/docker/docker-credential-helpers/ make pass # move the compiled sources to /usr/bin sudo cp bin/docker-credential-pass /usr/bin
After installing the libraries and compiling the "helpers", you can configure the password manager to save the Docker credentials, but first you need a key to encrypt the data. Type the following on a terminal to get the key:
gpg --generate-key # enter your information name and email and a passphrase
You should add a passphrase to generated key, but you can also leave the field blank, and press OK. You get something like Fig. 1. If you click on
Yes, protection is not needed, the key generation continues. If the passphase prompt appears every second while you want to skip it (no password), use this
gpg --generate-key --pinentry-mode=loopback
Fig. 1: Skipping passphraseIf you skip the passphrase, access to the key is not secured, that means everyone can get it. However, the password manager will be encrypted with this key. That means, credentials are not saved in plain text, but you can decrypt them using the key that is not protected. It is a bit more complicated than reading them in plain text, but it is not yet 100% safe. But, if you use a passphrase, you will receive a message asking for it every time you restart the Raspberry Pi and try to log in to a Docker registry.
Then, you move the mouse and wait a bit and you get something like Fig. 2:
Fig. 2: Certificate
gpg-id, in my case:
C30C6A18924E48545A21EBE2F9C4B53FF45D21F8(see Fig. 2).
Type the following to initiate the password storage and use the key with
pass init <gpg-id> # in my case: pass init C30C6A18924E48545A21EBE2F9C4B53FF45D21F8
and you get something like Fig. 3.
Fig. 3: Creating password manager
Docker Registry login
Finally, login to the Docker registry using:
# for Docker Hub docker login # for other Registries docker login <<http://registry...>>
and enter your credentials, you should get something like Fig. 4.
Fig. 4: Docker loginIf you didn't add the user `pi` to the Docker group (`sudo usermod -aG docker pi`) and you are using `sudo` everytime you need to comunicate with the Docker engine, you have to create the key and the password storage with `sudo` too. Otherwise you won't find it! and you'll get the following error:
Error saving credentials: error storing credentials - err: exit status 1, out: `pass not initialized: exit status 1: Error: password store is empty. Try "pass init".
If you entered a passphrase to protect the generated key, you must execute the following line; otherwise, the password prompt will not appear and you will get an error:
This line should be also added at the end of e.g.
nano ~/.bashrcto get the environmental variable everytime that the Raspberry Pi boots.
This tutorial helps you install the necessary tools to save Docker login credentials on systems, in which Docker credential helpers are not installed by default. This includes all ARM (integrated) systems. Credentials are stored in an encrypted storage with a (password protected) key. This is much safer than plain text on the microSD.