-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow keypair to be mounted as docker secrets #287
Comments
If you want to PR the change or docs or anything please feel free and the devs can review the changes 😀 |
If you want to use docker (or k8s) secrets, please refer to this section of the readme. |
Thank you @paspo I didn't see that part of the docs. I changed to docker secrets and it works perfectly! One note though: It seems the app copies the secrets from Surely they should be read from the original path only? The two paths have different attack surfaces, so this behaviour is circumventing the docker secrets mechanism. |
I agree with that. Unfortunately this is not possible yet, because That's why this scripts is going to copy the secrets in IMHO this can be resolved in 2 ways:
|
How about a symbol link? |
My gut feeling tells me that it would basically be the same problem... BUT, I don't know for sure. However, @paspo suggestion seems good. I've seen something like this in other apps: secrets:
- key_priv:
filename: ./id_ed25519
- key_pub:
filename: ./id_ed25519.pub
services:
rustdesk:
secrets:
- key_priv
- key_pub
environment:
- RUSTDESK_PRIVATE_KEY: /run/secrets/key_priv # <-----
- RUSTDESK_PUBLIC_KEY: /run/secrets/key_pub # <-----
# ... The app would then read the secrets from files specified by those env vars. |
just to frame this a little more, you can start hbbs like this: hbbs -k IRvYWCnv72zAFBYO4LT9h5yUfqLQXG0/DVw68yFfr55UrtLfm6TjcOcvo+nLtscsA4VxvKcVJfJYC2rpi2R2DA== You don't even need a key file. |
Is your feature request related to a problem? Please describe.
The self hosted docker option allows to mount the keypair as file mounts:
Although this works, it's not ideal for such sensitive secrets.
Describe the solution you'd like
Please consider allowing the keypair to be mounted as proper docker secrets:
Those secrets would be automatically mounted at the standard docker paths:
Then the app can load the secrets from those files directly.
So from rustdesk's perspective, the ONLY change is to read from
/run/secrets/secret_private
and/run/secrets/secret_public
instead of/data/id_ed25519
and/data/id_ed25519.pub
. That's it.Describe alternatives you've considered
Mounting as file mounts, as shown above.
Additional context
Thanks for considering it.
The text was updated successfully, but these errors were encountered: