Production Docker Secrets: Secure Your Self-Hosted Crypto Infrastructure

2026-06-03

Production Docker Secrets: Secure Your Self-Hosted Crypto Infrastructure

When deploying self-hosted crypto infrastructure with Docker, storing sensitive credentials like private keys and master passwords in plain environment variables is like leaving your vault combination written on a sticky note. Production environments need robust secret management that protects your assets even if container configurations are compromised.

Why Secret Management Matters for Crypto Infrastructure

Running a self-hosted crypto wallet service means you're responsible for protecting potentially millions of dollars worth of digital assets. Unlike traditional web applications where a database breach might leak user data, crypto infrastructure breaches directly result in irreversible financial loss. Every private key, seed phrase, and master password becomes a single point of failure.

Traditional Docker deployments often store secrets in .env files or docker-compose environment variables — both visible in plain text to anyone with container access. When you're managing AI agent wallets that might execute thousands of transactions daily, this approach becomes a ticking time bomb.

WAIaaS Docker Secrets: Production-Grade Security

WAIaaS provides built-in Docker Secrets support for secure credential management in production environments. Instead of exposing sensitive data through environment variables, Docker Secrets encrypts and distributes credentials only to authorized containers through an in-memory filesystem.

The system supports both Docker Swarm secrets and file-based secrets for single-node deployments. Here's how to deploy WAIaaS with proper secret management:

Setting Up File-Based Secrets

First, create your secret files with restricted permissions:

# Create secrets directory
mkdir -p secrets
chmod 700 secrets

# Store master password securely
echo "your-secure-master-password" > secrets/master_password.txt
chmod 600 secrets/master_password.txt

# Store RPC endpoints (optional but recommended)
echo "https://api.mainnet-beta.solana.com" > secrets/solana_rpc.txt
echo "https://eth-mainnet.g.alchemy.com/v2/your-key" > secrets/ethereum_rpc.txt
chmod 600 secrets/*.txt

Production Docker Compose Configuration

WAIaaS includes a secrets overlay file that you combine with the base configuration:

# Deploy with secrets overlay
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d

The secrets overlay (docker-compose.secrets.yml) mounts sensitive files into the container's /run/secrets/ directory, where they're only readable by the WAIaaS process. This follows Docker's recommended security practices for production deployments.

Container Security Hardening

Beyond secret management, WAIaaS containers run with several security hardening measures:

services:
  daemon:
    image: ghcr.io/minhoyoo-iotrust/waiaas:latest
    user: "1001:1001"  # Non-root user
    read_only: true    # Read-only filesystem
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    volumes:
      - waiaas-data:/data
      - type: tmpfs
        target: /tmp
        tmpfs:
          size: 100M

This configuration ensures the container cannot escalate privileges, writes only to designated data volumes, and runs under a non-root user account — critical protections when handling private keys.

Environment-Specific Deployment

For development environments, WAIaaS supports auto-provisioning with generated credentials:

docker run -d \
  --name waiaas \
  -p 127.0.0.1:3100:3100 \
  -v waiaas-data:/data \
  -e WAIAAS_AUTO_PROVISION=true \
  ghcr.io/minhoyoo-iotrust/waiaas:latest

# Retrieve the auto-generated master password
docker exec waiaas cat /data/recovery.key

This generates a cryptographically secure master password and stores it in /data/recovery.key for initial setup. You can later harden the deployment by setting a custom master password and deleting the recovery file.

Monitoring and Health Checks

Production deployments include built-in health monitoring:

healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:3100/health"]
  interval: 30s
  timeout: 5s
  start_period: 10s
  retries: 3

The health endpoint verifies that the daemon is responding, database connections are active, and critical services are operational. Failed health checks trigger automatic container restarts, ensuring high availability for your crypto infrastructure.

Backup and Recovery

WAIaaS includes comprehensive backup functionality through its CLI:

# Create encrypted backup of all wallets and configuration
waiaas backup create --encrypt --output backup-$(date +%Y%m%d).enc

# List backup contents without extracting
waiaas backup inspect backup-20240315.enc

# Restore from backup (requires master password)
waiaas restore backup-20240315.enc

Backups include encrypted private keys, wallet metadata, transaction history, and policy configurations. Store these backups in geographically distributed locations using your existing backup infrastructure.

Quick Start: Production-Ready Deployment

Follow these steps to deploy WAIaaS with Docker Secrets in production:

  1. Clone the repository and set up secrets:
git clone https://github.com/minhoyoo-iotrust/WAIaaS.git
cd WAIaaS
mkdir -p secrets
echo "your-secure-password" > secrets/master_password.txt
chmod 600 secrets/master_password.txt
  1. Deploy with secrets overlay:
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d
  1. Verify deployment health:
docker compose logs -f daemon
curl http://localhost:3100/health
  1. Create your first wallet:
docker exec waiaas-daemon waiaas wallet create --name "production-wallet" --chain "ethereum"
  1. Set up monitoring and backups:
# Create daily backup cron job
echo "0 2 * * * docker exec waiaas-daemon waiaas backup create --encrypt" | crontab -

For development environments, you can skip the secrets setup and use auto-provisioning instead, but always use proper secret management for production deployments handling real funds.

Understanding proper secret management is just the first step in securing your crypto infrastructure. To learn more about implementing comprehensive security policies for your AI agents, check out Policy Engine Deep Dive: 21 Ways to Secure Your AI Agent's Crypto Transactions and Setting Up WalletConnect for Human-in-the-Loop Transaction Approval.

What's Next

Ready to deploy your own secure, self-hosted crypto infrastructure? Start with the GitHub repository for the complete source code and deployment guides. For additional documentation and enterprise support options, visit waiaas.ai to explore advanced features like multi-signature policies and hardware security module integration.