Production Docker secrets are the difference between a weekend prototype and infrastructure you'd trust with real assets. When self-hosting crypto wallet infrastructure, your security model determines whether you sleep soundly or wake up to empty wallets.
Why Docker Secrets Matter for Crypto Infrastructure
Traditional environment variables leak secrets through process lists, Docker inspect commands, and container logs. In crypto infrastructure, this means private keys, master passwords, and RPC endpoints become visible to anyone with container access.
The stakes are higher than typical web applications. A compromised database password might leak user data, but a compromised wallet master password gives attackers direct access to cryptocurrency holdings across multiple wallets and chains.
WAIaaS Docker Secrets Implementation
WAIaaS provides a production-ready secrets overlay using Docker Compose's native secrets management. Instead of passing sensitive values through environment variables, secrets are mounted as files inside containers with restricted permissions.
Here's the basic deployment without secrets:
services:
daemon:
image: ghcr.io/minhoyoo-iotrust/waiaas:latest
container_name: waiaas-daemon
ports:
- "127.0.0.1:3100:3100"
volumes:
- waiaas-data:/data
environment:
- WAIAAS_DATA_DIR=/data
- WAIAAS_DAEMON_HOSTNAME=0.0.0.0
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3100/health"]
interval: 30s
timeout: 5s
start_period: 10s
retries: 3
The production secrets overlay (docker-compose.secrets.yml) adds Docker secrets integration:
services:
daemon:
secrets:
- master_password
- solana_rpc_mainnet
- ethereum_rpc_mainnet
environment:
- WAIAAS_MASTER_PASSWORD_FILE=/run/secrets/master_password
- WAIAAS_RPC_SOLANA_MAINNET_FILE=/run/secrets/solana_rpc_mainnet
- WAIAAS_RPC_EVM_ETHEREUM_MAINNET_FILE=/run/secrets/ethereum_rpc_mainnet
secrets:
master_password:
file: ./secrets/master_password.txt
solana_rpc_mainnet:
file: ./secrets/solana_rpc_mainnet.txt
ethereum_rpc_mainnet:
file: ./secrets/ethereum_rpc_mainnet.txt
Setting Up Production Secrets
Create the secrets directory structure:
mkdir -p secrets
chmod 700 secrets
# Create master password (generates wallet encryption key)
openssl rand -base64 32 > secrets/master_password.txt
# Add RPC endpoints for mainnet access
echo "https://api.mainnet-beta.solana.com" > secrets/solana_rpc_mainnet.txt
echo "https://eth-mainnet.alchemyapi.io/v2/your-key" > secrets/ethereum_rpc_mainnet.txt
# Restrict file permissions
chmod 600 secrets/*.txt
Deploy with the secrets overlay:
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d
Inside the container, WAIaaS reads secrets from /run/secrets/ instead of environment variables. The entrypoint script automatically detects *_FILE environment variables and loads the corresponding file contents.
Security Benefits Over Environment Variables
Docker secrets provide several security advantages for crypto infrastructure:
Process isolation: Secrets appear as tmpfs files mounted only inside target containers, invisible to docker inspect and process lists.
File permissions: Secret files have 600 permissions (owner read-only) by default, preventing unauthorized access even within the container.
No leak through logs: Environment variables containing secrets can accidentally appear in application logs or error messages. File-based secrets reduce this risk.
Swarm compatibility: Docker secrets work seamlessly with Docker Swarm for multi-node deployments, with automatic secret distribution and rotation capabilities.
The WAIaaS daemon runs as UID 1001 (non-root) inside containers, following security best practices. Combined with secret files, this creates defense-in-depth against container escape vulnerabilities.
Secrets Rotation and Management
Production crypto infrastructure requires periodic secret rotation. WAIaaS supports hot-reloading of RPC endpoint secrets without restarting wallets or interrupting AI agent operations.
Update RPC secrets:
# Update RPC endpoint
echo "https://new-rpc-endpoint.com" > secrets/solana_rpc_mainnet.txt
# Reload configuration (sends SIGHUP to daemon)
docker compose kill -s SIGHUP daemon
Master password rotation requires more care since it encrypts wallet private keys:
# 1. Create new master password
openssl rand -base64 32 > secrets/master_password_new.txt
# 2. Migrate wallets to new password (requires downtime)
docker compose down
docker compose -f docker-compose.yml -f docker-compose.secrets.yml run --rm daemon migrate-master-password
# 3. Replace old password file
mv secrets/master_password_new.txt secrets/master_password.txt
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d
Alternative: Auto-Provision for Development
For development and testing, WAIaaS supports auto-provisioning that generates random master passwords automatically:
docker run -d \
--name waiaas \
-p 127.0.0.1:3100:3100 \
-v waiaas-data:/data \
-e WAIAAS_AUTO_PROVISION=true \
ghcr.io/minhoyoo-iotrust/waiaas:latest
# Retrieve auto-generated password
docker exec waiaas cat /data/recovery.key
Auto-provision creates a recovery.key file containing the randomly generated master password. This provides convenience for development while maintaining security through cryptographically strong password generation.
For production use, replace auto-provision with explicit secrets after initial setup:
# Extract auto-generated password
MASTER_PASSWORD=$(docker exec waiaas cat /data/recovery.key)
# Create proper secret file
echo "$MASTER_PASSWORD" > secrets/master_password.txt
chmod 600 secrets/master_password.txt
# Redeploy with secrets overlay
docker compose down
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d
# Remove recovery.key file
docker exec waiaas rm /data/recovery.key
Quick Start: Production Deployment
Here's the minimal setup for production-ready WAIaaS with Docker secrets:
- Clone and setup secrets:
git clone https://github.com/minhoyoo-iotrust/WAIaaS.git
cd WAIaaS
mkdir -p secrets && chmod 700 secrets
- Generate master password:
openssl rand -base64 32 > secrets/master_password.txt
chmod 600 secrets/master_password.txt
- Add RPC endpoints:
echo "https://your-solana-rpc.com" > secrets/solana_rpc_mainnet.txt
echo "https://your-ethereum-rpc.com" > secrets/ethereum_rpc_mainnet.txt
chmod 600 secrets/*.txt
- Deploy with secrets:
docker compose -f docker-compose.yml -f docker-compose.secrets.yml up -d
- Verify deployment:
curl http://127.0.0.1:3100/health
# Should return {"status": "healthy"}
The daemon starts with encrypted storage, production RPC endpoints, and no secrets visible through Docker inspect or process lists.
For ongoing management, consider setting up automated secret rotation, monitoring for RPC endpoint health, and implementing backup procedures for the waiaas-data Docker volume containing encrypted wallet files.
Self-hosted crypto infrastructure requires careful attention to operational security. Docker secrets provide a foundation, but remember that physical security of the host machine, network isolation, and proper backup procedures are equally important for protecting cryptocurrency holdings.
Ready to deploy your own self-hosted wallet infrastructure? Get started with the complete setup guide at GitHub or explore the architecture documentation at waiaas.ai.
What's Next
Master the policy engine to control exactly what your AI agents can do with your funds, or explore MCP integration to connect your wallets with Claude Desktop for conversational crypto management.
Top comments (0)