I wanted to pull a Docker image from DockerHub. To do so, I first created a DockerHub account. Once that was done I could run:

docker login # Enter your credentials

By default, however, it stored my login credentials unencrypted.

To store my credentials securely, Docker supports interfacing with a password manager.

For Linux, Docker supports Pass. I initialised Pass to use git as its storage. I didn't have to initialise Pass to store passwords in a git repo though. But I think it is a good idea if you need to share secrets among team members.

To use Pass, I first needed to create a GPG key pair. This will ensure I can sign my work and allows others to verify the authenticity of work that is signed by me.

$ sudo apt install pass   # Install Pass
$ gpg --full-generate-key # Create public-private key
$ pass git init <public key>

To bridge between Docker and Pass, I needed to use docker-credential-pass. Now I am less than impressed that docker-credential-pass doesn't come with a GPG signature. I am really surprised no one has kicked up a fuss about that. Perhaps there is a way to verify the download but I can't work it out.

$ mkdir ~/bin; cd ~/bin
$ echo 'export PATH=$PATH:~/bin' >> ~/.bashrc
$ wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.3/docker-credential-pass-v0.6.3-amd64.tar.gz
$ tar xvzf docker-credential-pass-v0.6.3-amd64.tar.gz
$ chmod a+x docker-credential-pass
$ mkdir ~/.docker
$ echo '{ "credsStore": "pass" }' > ~/.docker/config.json
$ pass insert docker-credential-helpers/docker-pass-initialized-check
$ # Set the password to: pass is initialized
$ docker login # Which will now store credentials in Pass
$ docker pull ubuntu:18.04

The end.