Best practice: GPG server keys permission denied (Docker)

Hello,
I have a CentOS Linux release 7.7.1908 (Core) and I installed Passbolt with Docker with this tutorial:
https://help.passbolt.com/hosting/install/ce/docker.html
Like the tutorial, I want to persist the Gnupg serverkeys directory. So, I create a gpg-keys folder in /media/. But if I do docker run for Passbolt I can find in the logs:

gpg: directory ‘/home/www-data/.gnupg’ created
gpg: keybox ‘/home/www-data/.gnupg/pubring.kbx’ created
gpg: /home/www-data/.gnupg/trustdb.gpg: trustdb created
gpg: key 141223DE10561F7C marked as ultimately trusted
gpg: directory ‘/home/www-data/.gnupg/openpgp-revocs.d’ created
gpg: revocation certificate stored as ‘/home/www-data/.gnupg/openpgp-revocs.d/4A178A2D34B80F1413B4B194141223DE10561F7C.rev’
-bash: /var/www/passbolt/config/gpg/serverkey_private.asc: Permission denied

If I change the permissions with chmod -R o=wrx /media/gpg-keys docker run works fine and the server keys could be created. But I am not sure, if this is the right way. I think it is not fine, to allow all others the permissions write, read, execute for this directory. Exists an other/secure way to give Passbolt the permissions?
Thank you for your answers! :slight_smile:

Hi @Sebastian_SWP

While mounting the keys from the host to the container is one of the methods mentioned on the help site a better approach that has less problems with the permissions would be to use docker volumes. Docker volumes is the proposed approach on the passbolt docker compose file.

If you still want to use host mounts you should keep in mind that with read permission for the owner on the serverkey.asc and serverkey_private.asc should be enough to import the keys on the keyring (400 permissions)

Hope this helps you a bit.

Yes, you are right! Docker volumes are the better solution. :slight_smile: Thank you very much!

1 Like

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.