Skip to content

Ability to specify usage of the unsafe credentials filestore explicitely #6719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
WildRackoon wants to merge 3 commits into
base: master
Choose a base branch
from
+13 −6
Open

Ability to specify usage of the unsafe credentials filestore explicitely #6719

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
458d3fd
Allow using credential 'filestore' explicitly
WildRackoon Dec 19, 2025
ee43f57
Document reserved 'filestore' usage
WildRackoon Dec 19, 2025
ebb3d46
Fix ambiguous doc on credential store fallback
WildRackoon Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions cli/config/configfile/file.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,6 +290,9 @@ func (configFile *ConfigFile) GetCredentialsStore(registryHostname string) crede
store := credentials.NewFileStore(configFile)

if helper := getConfiguredCredentialStore(configFile, registryHostname); helper != "" {
if helper == "filestore" {
return store
}
store = newNativeStore(configFile, helper)
}

Expand Down
16 changes: 10 additions & 6 deletions docs/reference/commandline/login.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,15 @@ store](#credential-stores). If you use Docker Desktop, credentials are
automatically saved to the native keychain of your operating system. If you're
not using Docker Desktop, you can configure the credential store in the Docker
configuration file, which is located at `$HOME/.docker/config.json` on Linux or
`%USERPROFILE%/.docker/config.json` on Windows. If you don't configure a
credential store, Docker stores credentials in the `config.json` file in a
base64-encoded format. This method is less secure than configuring and using a
credential store.
`%USERPROFILE%/.docker/config.json` on Windows.

`docker login` also supports [credential helpers](#credential-helpers) to help
`docker login` supports [credential helpers](#credential-helpers) to help
you handle credentials for specific registries.

If you don't configure a credential store and no credential helper is available,
Docker stores credentials in the `config.json` file in a base64-encoded format.
This method is less secure than configuring and using a credential store.

### Authentication methods

You can authenticate to a registry using a username and access token or
Expand Down Expand Up @@ -83,6 +84,9 @@ For example, to use `docker-credential-osxkeychain`:
}
```

The reserved value `filestore` can be used to store the base64-encoded
credentials directly in the `config.json` configuration file.

If you are currently logged in, run `docker logout` to remove
the credentials from the file and run `docker login` again.

Expand All @@ -92,7 +96,7 @@ By default, Docker looks for the native binary on each of the platforms, i.e.
`osxkeychain` on macOS, `wincred` on Windows, and `pass` on Linux. A special
case is that on Linux, Docker will fall back to the `secretservice` binary if
it cannot find the `pass` binary. If none of these binaries are present, it
stores the base64-encoded credentials in the `config.json` configuration file.
follows the `filestore` behavior described above.

#### Credential helper protocol

Expand Down