I'm creating small startup project. I own one public server. At this server I will use docker compose to run my project.
I want to pass sensitive data to my containers like db password etc. I have 3 options:
I thinking about passing to container encrypted values in env variables. Disadvantage here is that my .jar file need to contain cert or password to decrypt them and also few modifications in code need to be made.
Is increase of security worth doing this? Or is it so small that this gives almost nothing and I should stay with plain text data in env variables?
You need a Risk Based approach to identify the best solution . So in your case since as you mention Vault is out due to resource constraints hence we are left with 2 options .
When comparing the two both are susceptible to Information Disclosure due un-authorized shell access either due to password compromise or through RCE / Reverse shell techniques. I would in this case will definitely advice going for encrypted values of env variables which you pass through to the containers. Since that adds and extra layer of security. Also for Jar's we have substantial resources available where by obfuscation can be used to make it hard to extract resources from the files . You can also use the Java Key store as the container of your secrets and follow the best practices for JKS password security .
At the end of the day no solution is fully secure but Defensive security strives to have different layers of defense and make it really effort intensive for a malicious entity to break in.