✦ For everyone, free.

Practical knowledge for real and everyday life

Home

10.1.2.5 Registry Credential Storage

A focused guide to Registry Credential Storage, connecting core concepts with practical Docker and container operations.

Registry credential storage refers to how Docker persists authentication details after a successful docker login, typically in a local configuration file, with the specific storage mechanism having meaningful security implications worth understanding.

Where Docker Stores Credentials by Default

Without additional configuration, Docker's CLI stores authentication details in a configuration file in the user's home directory.

docker login registry.example.com
cat ~/.docker/config.json

{
  "auths": {
    "registry.example.com": {
      "auth": "bXl1c2VyOnNlY3JldA=="
    }
  }
}

This stored value is simply a base64-encoded combination of the username and password — base64 encoding is not encryption, meaning this representation provides no real protection if the file itself is accessed by someone unauthorized.

Why Using a Credential Helper Is a More Secure Alternative

Docker supports credential helpers that integrate with a platform's native, more secure credential storage (like a system keychain) rather than storing credentials in this comparatively exposed, plaintext-equivalent format.

{
  "credsStore": "desktop"
}

Configuring a credential helper like this routes credential storage through a more secure, platform-native mechanism instead of the default configuration file approach.

Why This Matters for Shared or Less-Trusted Machines

On a machine accessible to multiple users, or one with a less trusted security posture, relying on the default, weakly protected credential storage carries more risk than it would on a machine fully and exclusively trusted by one person.

docker logout registry.example.com

Explicitly logging out removes the stored credential, an appropriate precaution on a machine not exclusively and persistently under one person's control.

Why Registry Credential Storage Matters

Understanding exactly how and where Docker stores authentication credentials — and the security implications of the default approach versus a credential helper — is important for making informed decisions about credential security, particularly on machines with a less straightforward trust model.

Related content