• 14
    Nov - 2019

    Raspberry Pi, Single-board Computers
    4 min | 898

    #Raspberry Pi: Encrypt (and save) Docker credentials

    Raspberry Pi, Single-board Computers | 4 min | 898


    credentials
    docker enviroments
    docker hub
    docker registry
    embedded systems
    encryption
    go
    raspberry pi

    Usually, I login to different Docker registries (local, Docker Hub, etc.) with a computer running Ubuntu. I execute once docker login, then I enter the username and password, and after restarting the system, the access data is still available. That means, I write the credentials only once. But, on the Raspberry Pi, it was different until today: I needed to write the login credentials every time I booted the board.

    This article helps you to install the needed tools to save Docker login credentials on the Raspberry Pi, but not as plain text, so that the next time that you reboot the Raspberry the data access is still available and you don't need to type it again!

    To do that, you need the Docker credential helpers, which will use your operating system’s native credential store instead of the file ~/.docker/config.json. But on the Raspberry Pi, you need to install a credential storage and compile the credential helpers (the compiled releases are only for amd64 systems).

    This is what I will try to accomplish in this tutorial:

    1. Install the pre-requisites for the Docker credential helpers, credential manager and key,
    2. Install the Docker crendential helpers,
    3. Generate a (encrypted) key for the credential manager,
    4. Initiate a credential manager/storage,
    5. Login into Docker Hub.

    Let's start!

    DIY

    Connect to the Raspberry Pi using a ssh tunel and type the following on the terminal:

    sudo apt install gnupg2 pass

    gnupg2 is used to encrypt data and to create digital signatures and pass is the standard unix password manager.

    Docker credential helpers

    Then, install golang to compile the Docker credential helpers:

    # install golang and define PATH
    sudo apt-get install golang
    mkdir /home/pi/go
    export GOPATH=/home/pi/go
    
    # download the docker-credential-helpers repository
    cd $GOPATH
    go get github.com/docker/docker-credential-helpers
    
    # compile docker-credential-pass and 
    cd $GOPATH/src/github.com/docker/docker-credential-helpers/
    make pass
    # move the compiled sources to /usr/bin
    sudo cp bin/docker-credential-pass /usr/bin

    Key generation

    After installing the libraries and compiling the "helpers", you can configure the password manager to save the Docker credentials, but first you need a key to encrypt the data. Type the following on a terminal to get the key:

    gpg --generate-key  
    # enter your information name and email and a passphrase
    

    You should add a passphrase to generated key, but you can also leave the field blank, and press OK. You get something like Fig. 1. If you click on Yes, protection is not needed, the key generation continues. If the passphase prompt appears every second while you want to skip it (no password), use this gpg --generate-key --pinentry-mode=loopback

    password.png

    Fig. 1: Skipping passphrase

    If you skip the passphrase, access to the key is not secured, that means everyone can get it. However, the password manager will be encrypted with this key. That means, credentials are not saved in plain text, but you can decrypt them using the key that is not protected. It is a bit more complicated than reading them in plain text, but it is not yet 100% safe. But, if you use a passphrase, you will receive a message asking for it every time you restart the Raspberry Pi and try to log in to a Docker registry.

    Then, you move the mouse and wait a bit and you get something like Fig. 2:

    key.png

    Fig. 2: Certificate

    Copy the gpg-id, in my case: C30C6A18924E48545A21EBE2F9C4B53FF45D21F8 (see Fig. 2).

    Credential/Password storage

    Type the following to initiate the password storage and use the key with gpg-id for encryption:

    pass init <gpg-id>
    # in my case: pass init C30C6A18924E48545A21EBE2F9C4B53FF45D21F8

    and you get something like Fig. 3.

    manager.png

    Fig. 3: Creating password manager

    Docker Registry login

    Finally, login to the Docker registry using:

    # for Docker Hub
    docker login
    # for other Registries
    docker login <<http://registry...>>

    and enter your credentials, you should get something like Fig. 4.

    raspberry.png

    Fig. 4: Docker login

    If you didn't add the user `pi` to the Docker group (`sudo usermod -aG docker pi`) and you are using `sudo` everytime you need to comunicate with the Docker engine, you have to create the key and the password storage with `sudo` too. Otherwise you won't find it! and you'll get the following error:
    Error saving credentials: error storing credentials - err: exit status 1, out: `pass not initialized: exit
    status 1: Error: password store is empty. Try "pass init".

    If you entered a passphrase to protect the generated key, you must execute the following line; otherwise, the password prompt will not appear and you will get an error:

    export GPG_TTY=$(tty)

    This line should be also added at the end of e.g. bashrc using e.g. nano ~/.bashrc to get the environmental variable everytime that the Raspberry Pi boots.

    Conclusions

    This tutorial helps you install the necessary tools to save Docker login credentials on systems, in which Docker credential helpers are not installed by default. This includes all ARM (integrated) systems. Credentials are stored in an encrypted storage with a (password protected) key. This is much safer than plain text on the microSD.


    Comments

    Empty