Store docker credentials in keepasscx

Page content

In this post I will show you how to use KeePassXC to store your docker credentials on Linux.

Disable gnome-keyring

Ubuntu use gnome-keyring for secret store so first we need to disable this:

nano /etc/pam.d/gdm-password
# session optional        pam_gnome_keyring.so auto_start
mkdir -p ~/.config/autostart
cp /etc/xdg/autostart/gnome-keyring-*.desktop ~/.config/autostart/

echo 'X-GNOME-Autostart-enabled=false' >> ~/.config/autostart/gnome-keyring-*.desktop

Install docker-credential-pass

echo SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/ssh-agent.socket" >> ~/.pam_environment

wget https://github.com/docker/docker-credential-helpers/releases/download/v0.7.0/docker-credential-pass-v0.7.0.linux-amd64

mv docker-credential-pass-v0.7.0.linux-amd64 docker-credential-pass
chmod u+x docker-credential-pass
sudo mv docker-credential-pass /usr/local/bin/docker-credential-pass
cat <<EOF > $HOME/.docker/config.json
{
  "credsStore": "secretservice"
}
EOF

Configure KeePassXC

  • First, check the Enable KeePassXC Freedesktop.org Secret Service integration box in Tools > Settings > Secret Service Integration. This enables the integration at the application level.
  • Then, open your password database, go into Database > Database Settings > Secret Service Integration and set up a folder to expose over the Secret Service API. You’ll probably want to use a new, empty folder for that.
  • We disabled the gnome-keyring service because it is interface with the Secret Service API.

Integration with Docker

Docker team supplies a credential helper that implements the Secret Service protocol already. So we need to install the docker-credential-secretservice on the path

wget https://github.com/docker/docker-credential-helpers/releases/download/v0.7.0/docker-credential-pass-v0.7.0.linux-amd64
mv docker-credential-pass-v0.7.0.linux-amd64 docker-credential-pass
chmod +x docker-credential-pass
mv docker-credential-pass /usr/local/bin/

wget https://github.com/docker/docker-credential-helpers/releases/download/v0.7.0/docker-credential-secretservice-v0.7.0.linux-amd64
mv docker-credential-secretservice-v0.7.0.linux-amd64 docker-credential-secretservice
chmod +x docker-credential-secretservice
mv docker-credential-secretservice /usr/local/bin/

Configure docker to use the secret service:

mkdir $HOME/.docker
echo "{
  "credsStore": "secretservice"
}" > $HOME/.docker/config.json

Test with dummy credentials:

secret-tool store --label='Test test' account cred-test