When working with Docker, you might need to use SSH keys inside a container — for example, to:
- Clone private Git repositories
- Connect to remote servers
- Perform automated deployments
However, due to Docker’s security isolation, handling SSH keys requires extra care. This post explains the best practices for using SSH keys in Docker containers — securely and effectively.
🧠 Why Not Just COPY the SSH Key?
You might think of doing this in your Dockerfile:
COPY id_rsa /root/.ssh/id_rsa
But don’t do this. It bakes your private SSH key into the image, which:
- Exposes the key to anyone with access to the image
- Can be pushed accidentally to public registries
- Is unsafe for production use
Instead, use Docker build-time or run-time techniques to keep your keys safe.
✅ Option 1: Mount SSH Key at Runtime (Recommended)
The best practice is to mount the SSH key at runtime, so it’s not stored in the image.
🔧 Example:
docker run -it \
-v ~/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
-v ~/.ssh/known_hosts:/root/.ssh/known_hosts:ro \
my-container
- Mounts your private key and known hosts
- Read-only access (
:ro) for safety - Container can now use SSH without storing keys permanently
⚠️ Make sure the key has correct permissions inside the container (
chmod 600)
🔐 Option 2: Use ssh-agent Forwarding
If you use ssh-agent on your host, you can forward the agent socket into the container. This is great because the private key never leaves your host.
🔧 Steps:
- Start
ssh-agentand add your key:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa
- Run the container with the agent socket mounted:
docker run -it \
-v $SSH_AUTH_SOCK:/ssh-agent \
-e SSH_AUTH_SOCK=/ssh-agent \
my-container
Inside the container, SSH will now use the forwarded agent.
✅ No private key inside the container — just a socket to communicate with the host’s agent.
🛠️ Option 3: Use --mount=type=ssh with Docker BuildKit
If you need SSH access during the image build, Docker BuildKit offers a secure way using --mount=type=ssh.
🔧 Dockerfile:
# syntax=docker/dockerfile:1.3
FROM alpine
# Install SSH client
RUN apk add --no-cache openssh
# Use SSH key during build
RUN --mount=type=ssh git clone [email protected]:your/private-repo.git
🔧 Build Command:
DOCKER_BUILDKIT=1 docker build --ssh default .
🔐 The SSH key is only exposed during that
RUNstep and not stored in the final image.
🔒 SSH Key Permissions Inside Docker
SSH will refuse to use keys with open permissions. Ensure proper permissions inside the container:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/known_hosts
You can also use ENTRYPOINT or CMD to apply permissions on container start.
🧭 Summary: Best Practices
| Method | Use Case | Security Level |
|---|---|---|
| Volume mount | Runtime SSH access | ✅ Good |
| ssh-agent forwarding | Secure access without key exposure | ✅✅ Very Good |
| BuildKit SSH mount | Secure SSH during docker build | ✅✅ Very Good |
| COPY into image | Not recommended | ❌ Insecure |
✅ Final Tips
- Never hardcode or bake SSH keys into images.
- Use
known_hoststo prevent MITM attacks during SSH access. - Clean up SSH keys or sockets if using temporary containers.