Storing podman secrets in the wallet

When using [podman] as a container engine, you can make use of your keychain to store secrets if the secret service is available. This is more secure than storing them in a file or adding them as environment variables. It should work with gnome or kde and be unlocked with your session by default. The service is usually provided by the gnome keyring or kdewallet.

Storing secrets in the keychain can be setup by creating some scripts and letting podman know it should use them to manage secrets. You can try in out with

Here I create four scripts that will provide the commands that podman expects:

In ~/bin/podman-secret-store:

#!/bin/bash
cat - | secret-tool store --label $SECRET_ID client podman-secrets secret-id $SECRET_ID

In ~/bin/podman-secret-list:

#!/bin/bash
secret-tool search folder api-keys 2>&1 |grep '^label = ' | sed 's/label = //'

In ~/bin/podman-secret-lookup:

#!/bin/bash
secret-tool lookup client podman-secrets secret-id $SECRET_ID

In ~/bin/podman-secret-delete:

#!/bin/bash
secret-tool clear client podman-secrets secret-id $SECRET_ID

And finally, the configuration for podman:

In ~/.config/containers/containers.conf:

[secrets]
driver = "shell"
[secrets.opts]
list = "podman-secret-list"
lookup = "podman-secret-lookup"
store = "podman-secret-store"
delete = "podman-secret-delete"

Note that ~/bin/ must be in your path.