How to Eliminate Plaintext MySQL Passwords in Docker Containers

Introduction

Docker promotes the "Dockerize Everything" mantra, dramatically influencing software development, but its rapid adoption raises questions about security, especially for storage‑class containers like MySQL.

Previous articles highlighted the plaintext password issue when MySQL containers receive passwords via environment variables.

Solution for Plaintext Passwords

The problem stems from overly automated container creation that stores the MySQL root password in an environment variable, leaving the plaintext exposed.

To avoid this, the password set by the user should be applied directly to the MySQL engine without ever appearing in an environment variable. This can be achieved by replacing the container's volume after creation.

Below is a diagram of the approach:

Two MySQL containers (MySQL1 and MySQL2) are created with different root passwords:

docker run -d -e MYSQL_ROOT_PASSWORD=daocloud --name MySQL1 mysql
docker run -d -e MYSQL_ROOT_PASSWORD=docker --name MySQL2 mysql

The three‑step process to obtain a container with a non‑exposed password is:

Create MySQL1 and MySQL2 with root passwords daocloud and docker respectively.

Stop MySQL1, copy its volume (volume1) out, then remove the container.

Stop MySQL2, delete its volume (volume2), copy volume1 into volume2, and restart MySQL2.

After these steps, MySQL2 runs with the root password daocloud, while the environment variable MYSQL_ROOT_PASSWORD remains set to "docker"; no plaintext password remains in the container.

The key operation is replace volume, which transfers the encrypted password data while invalidating the plaintext environment variable.

Docker Layer vs Application Layer

One alternative is to modify the password from within the container using tools like mysql-client. While feasible, this approach requires container‑level access and may not be suitable when the Docker daemon administrator differs from the container user, especially in public‑cloud scenarios.

The replace volume method operates at the Docker layer, making it more generic and applicable to other storage‑class containers such as MongoDB or Redis.

In Docker terminology, environment variables belong to the Docker layer, whereas specific variables like MYSQL_ROOT_PASSWORD are interpreted by the application layer. Volumes are Docker‑layer constructs, while their contents are application‑layer data.

Conclusion

The plaintext password issue in storage‑class Docker containers arises because application‑level passwords are passed through Docker‑layer environment variables, leaving them exposed. Replacing the container's volume provides a Docker‑layer solution that eliminates the plaintext password without altering the container's environment variables.