Docker
Use SikkerKey secrets in Docker containers.
There are two approaches: inject secrets at runtime via the CLI, or fetch secrets in your application using an SDK.
Option 1: CLI Entrypoint (Recommended)
Install the CLI in your image and use sikkerkey run as the entrypoint. Secrets are injected as environment variables at container start.
Dockerfile
FROM node:20-slim
# Install SikkerKey CLI
RUN npm install -g @sikkerkey/cli
WORKDIR /app
COPY . .
RUN npm ci --production
# The entrypoint fetches secrets and runs the app
ENTRYPOINT ["sikkerkey", "run", "--all", "--"]
CMD ["node", "server.js"]
Running
Mount the machine identity into the container:
docker run \
-v ~/.sikkerkey:/home/node/.sikkerkey:ro \
myapp:latest
Or pass the identity via environment variables and create it at startup:
docker run \
-e SIKKERKEY_VAULT_ID=vault_abc123 \
-e SIKKERKEY_PROJECT_ID=proj_xyz789 \
-e SIKKERKEY_MACHINE_ID=your-machine-uuid \
-e SIKKERKEY_PRIVATE_KEY="$(cat ~/.sikkerkey/vaults/vault_abc123/private.pem)" \
myapp:latest
With an entrypoint script that sets up the identity:
#!/bin/sh
# entrypoint.sh
set -e
# Create identity from env vars if not mounted
if [ ! -f "$HOME/.sikkerkey/vaults/$SIKKERKEY_VAULT_ID/identity.json" ]; then
mkdir -p "$HOME/.sikkerkey/vaults/$SIKKERKEY_VAULT_ID"
echo "$SIKKERKEY_PRIVATE_KEY" > "$HOME/.sikkerkey/vaults/$SIKKERKEY_VAULT_ID/private.pem"
chmod 600 "$HOME/.sikkerkey/vaults/$SIKKERKEY_VAULT_ID/private.pem"
cat > "$HOME/.sikkerkey/vaults/$SIKKERKEY_VAULT_ID/identity.json" <<EOF
{
"machineId": "$SIKKERKEY_MACHINE_ID",
"machineName": "docker",
"vaultId": "$SIKKERKEY_VAULT_ID",
"apiUrl": "https://api.sikkerkey.com",
"privateKeyPath": "$HOME/.sikkerkey/vaults/$SIKKERKEY_VAULT_ID/private.pem"
}
EOF
sikkerkey connect "$SIKKERKEY_VAULT_ID"
sikkerkey unlock "$SIKKERKEY_PROJECT_ID"
fi
exec sikkerkey run --all -- "$@"
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["node", "server.js"]
Option 2: SDK in Application
Install the SDK in your application and fetch secrets at startup. Mount the identity directory into the container.
FROM python:3.12-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .
CMD ["python", "app.py"]
# app.py
from sikkerkey import SikkerKey
sk = SikkerKey()
db_host = sk.get_field("sk_db_prod", "host")
db_pass = sk.get_field("sk_db_prod", "password")
# Use the secrets to configure your app
docker run -v ~/.sikkerkey:/root/.sikkerkey:ro myapp:latest
Docker Compose
services:
api:
build: .
volumes:
- ~/.sikkerkey:/home/node/.sikkerkey:ro
entrypoint: ["sikkerkey", "run", "--all", "--"]
command: ["node", "server.js"]
worker:
build: .
volumes:
- ~/.sikkerkey:/home/node/.sikkerkey:ro
entrypoint: ["sikkerkey", "run", "--all", "--"]
command: ["node", "worker.js"]
Both containers use the same machine identity and get the same secrets. Each secret read is independently audit-logged.
Security Notes
- Mount the identity directory as read-only (
:ro) to prevent the container from modifying the keys - Never bake secrets or private keys into Docker images
- Never pass secrets via
docker run -e SECRET=value— use the CLI or SDK to fetch them at runtime - Each container using the same identity appears as the same machine in audit logs. For per-container attribution, bootstrap a separate machine for each container.