Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Getting Started With Docker BuildKit In Order To Safely Use A Private SSH Key During A Build

Docker BuildKit is an overhaul of the build architecture. By integrating BuildKit, users should see an improvement on performance, storage management, feature functionality, and security. It started shipping with Docker 18.09 and later.

Most importantly, it allows additional features such as:

  • the ability to use the --secret command line option to allow the user to pass secret information for use during the build.
  • the ability to use --ssh command line option to allow the Docker Engine to forward SSH agent connections during the build.

Windows users appear to be using it by default.

Enable BuildKit

You can enable BuildKit in two different ways. Either by setting the environment variable at the point of performing the build like so:

docker build .

Alternatively, you can enable BuildKit by default for the docker Daemon by configuring the daemon and restarting it:

sudo  echo '{ "features": { "buildkit": true } }' | sudo tee /etc/docker/daemon.json && \
  sudo service docker restart

Change Output

After enabling BuildKit, you will notice that the output during the build is shown in a different manner. If you would prefer to go back to a simpler output then change the progress option.


If using Jenkins for your pipeline, you can enable BuildKit by putting the following in your pipeline:

environment {

Using Private SSH Key During A Build

Now that we have BuildKit enabled, we can make use of it in order to safely utilize a private SSH key for retrieving assets during a build, without a record of the SSH key being anywhere inside the image's layers. This way, if someone manages to get hold of the Docker image, they do not have access to you private SSH key, only the assets that it was used to retrieve.

Below is an example of setting up your Dockerfile in order to use a private SSH key to install a private python package:

FROM ubuntu:20.04

# Install required packages
RUN apt-get update && apt-get install openssh-client git

# Set up SSH and add github to our list of known hosts.
RUN mkdir -p -m 0600 ~/.ssh && ssh-keyscan >> ~/.ssh/known_hosts

# Install a private python package using a GitHub deploy key (private SSH key)
RUN --mount=type=ssh pip install git+ssh://

# other things...

Then you can build with:

docker build --ssh default .


Last updated: 11th October 2021
First published: 11th October 2021