2.13
Getting Started
Administering Portainer
Frequently Asked Questions
Advanced Topics
Get More Help
Contribute to Portainer
Encrypting the Portainer database
Portainer uses a BoltDB database to store the configuration, kept in the
portainer_data volume created during installation. This database can be encrypted for additional security through the use of a secret provided when the Portainer Server is started. Encryption can be added during the initial installation or at a later date.At present, encryption of the database is not reversible.
Docker Standalone
To enable encryption on Docker Standalone, you will first need to create a secret key, then modify your docker run command to mount the secret in the container.
Create a secret
Create a text file on the system running Docker Standalone that is accessible to the Docker executable, yet somewhere secure. For this example, we'll assume the file is called
/root/secrets/portainer_key. In this file enter a secret. This will be the key used to encrypt the Portainer database.Mount the secret
If Portainer is already running, you will need to stop and remove the Portainer container before continuing:
1
docker stop portainer
2
docker rm portainer
Copied!
To encrypt the database, add a bind mount to the
docker run command that mounts your secret in /run/secrets/portainer:1
-v /root/secrets/portainer_key:/run/secrets/portainer
Copied!
Your final
docker run command may look like this:1
docker run -d -p 8000:8000 -p 9443:9443 --name portainer \
2
--restart=always \
3
-v /var/run/docker.sock:/var/run/docker.sock \
4
-v portainer_data:/data \
5
-v /root/secrets/portainer_key:/run/secrets/portainer \
6
portainer/portainer-ee:latest
Copied!
When the Portainer container starts, it will encrypt any existing database, or for a fresh install will create a new encrypted database as part of the install process.
Docker Swarm
To enable encryption on Docker Swarm, you will first need to create a secret. You will then either update the service to incorporate the new secret (if you have an existing Portainer installation) or edit the compose file used to create the stack to include the secret (if this is a fresh installation of Portainer).
Create a secret
On a manager node, you can run the following command to create a secret:
1
echo "This is a secret" | docker secret create portainer_key -
Copied!
Replace
This is a secret with your secret. This will create a secret named portainer_key, which will be the key used to encrypt the Portainer database.You can also create a secret in Portainer if you are adding encryption to an existing installation.
Existing installations: Update the service
To add encryption to an existing Portainer deployment on Docker Swarm, you can use the following command on a manager node:
1
docker service update \
2
--secret-add src=portainer_key,target="/run/secrets/portainer" \
3
portainer
Copied!
The service will add the new secret and encrypt the database.
New installations: Edit the compose file
To install Portainer on Docker Swarm with encryption, you will need to edit the compose file you downloaded as part of the installation process. Add a secrets section to the
portainer service definition:1
secrets:
2
- portainer_key
Copied!
This tells the service to use the
portainer_key secret created earlier. With the secret added, your full portainer service definition may look like this:1
portainer:
2
image: portainer/portainer-ee:latest
3
command: -H tcp://tasks.agent:9001 --tlsskipverify
4
ports:
5
- "9443:9443"
6
- "9000:9000"
7
- "8000:8000"
8
volumes:
9
- portainer_data:/data
10
networks:
11
- agent_network
12
deploy:
13
mode: replicated
14
replicas: 1
15
placement:
16
constraints: [node.role == manager]
17
secrets:
18
- portainer_key
Copied!
Save your changes, then use the compose file to deploy your Portainer installation as covered in the Swarm installation instructions. The database will be deployed encrypted as part of the installation process.
Kubernetes
To enable encryption on Kubernetes you will first need to create a secret. You will then mount this secret as a volume in Portainer.
Create a secret
From the command line on your Kubernetes cluster, you can run the following command to create your secret:
1
kubectl create secret generic portainer-key --from-literal=secret=IAmASecretKey
Copied!
Replace
IAmASecretKey with your secret. This will create a secret named portainer-key, which will be the key used to encrypt the Portainer database.Modify the YAML file
Once the secret has been created, we need to modify the YAML file to mount the secret as a volume in Portainer. Download the YAML file for your particular deployment and locate the
container definition for the portainer container. It should look something like this:1
containers:
2
- name: portainer
3
image: "portainer/portainer-ee:latest"
4
imagePullPolicy: Always
5
args:
6
volumeMounts:
7
- name: data
8
mountPath: /data
Copied!
In the
volumeMounts section, add a definition for the secret created earlier:1
volumeMounts:
2
- name: data
3
mountPath: /data
4
- name: portainer-key
5
mountPath: /run/secrets/portainer
Copied!
We also need to add a definition to the
volumes definition for the spec:1
spec:
2
containers:
3
portainer:
4
...
5
volumes:
6
- name: portainer-key
7
secret:
8
secret_name: portainer-key
9
Copied!
Save the file, then apply it to your running configuration:
1
kubectl apply -f portainer.yaml
Copied!
Replace
portainer.yaml with the name of your modified YAML file.