secure-environment

secure-environment - A loader for secure environments on AWS

Introduction

This tool is intended to be used on the start up of a docker container to securely set environment variables on startup of a container. The included secure-entrypoint.sh script is intended to be used along with the secure-environment to provide this functionality on docker containers. At this time, this is intended to work with convox specifically.

How it works

The docker-entrypoint.sh script acts as an entrypoint for the docker container. The script then calls the secure-environment binary which will then write a sourceable shell script to stdout that contains exported environment variables.

Using with convox

Setting up the docker container

To use this with convox, you need to set the label convox.secure-env to true on the services you intend to secure.

On your docker container you will want to make sure that the secure-entrypoint.sh in the scripts folder of this repository and the latest linux binary of the secure-environment executable are copied into your docker container to the following locations:

secure-environment -> /usr/sbin/secure-environment
secure-entrypoint -> /usr/sbin/secure-entrypoint.sh

If you know what you're doing you can update the secure-entrypoint.sh file so you can change the location of these files.

Finally, you need to set the ENTRYPOINT on your dockerfile to this:

ENTRYPOINT ["/usr/sbin/secure-entrypoint.sh"]

If you're using this with tini like we do at Virtru, then you would do this:

ENTRYPOINT ["/usr/local/bin/tini", "--", "/usr/sbin/secure-entrypoint.sh"]