Dockerdevops~5 mins

Secrets management in Docker - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Secrets management helps keep sensitive information like passwords and keys safe when running applications. It solves the problem of exposing secrets in code or configuration files by storing them securely and providing them only when needed.

When you want to store database passwords securely for your Docker containers.

When you need to provide API keys to your app without hardcoding them in the image.

When multiple services need access to the same secret without exposing it in logs.

When you want to rotate secrets without rebuilding your Docker images.

When you want to avoid committing sensitive data to version control.

Config File - docker-compose.yml

docker-compose.yml

version: '3.8'
services:
  my-app:
    image: nginx:1.23
    secrets:
      - db_password
secrets:
  db_password:
    file: ./db_password.txt

This docker-compose.yml file defines a service called my-app using the nginx image. It declares a secret named db_password which is loaded from the local file db_password.txt. The secret is made available to the container securely without exposing it in environment variables or the image.

Commands

Create a file named db_password.txt containing the secret password. This file will be used to create the Docker secret.

Terminal

echo "supersecret123" > db_password.txt

Expected OutputExpected

No output (command runs silently)

Create a Docker secret named db_password from the file db_password.txt. This stores the secret securely in Docker's secret store.

Terminal

docker secret create db_password db_password.txt

Expected OutputExpected

db_password

Deploy the Docker stack named mystack using the docker-compose.yml file. This runs the service with the secret attached.

Terminal

docker stack deploy -c docker-compose.yml mystack

Expected OutputExpected

Creating network mystack_default Creating service mystack_my-app

→

-c - Specify the compose file to use

List running Docker services to verify that the my-app service is running as part of the stack.

Terminal

docker service ls

Expected OutputExpected

ID NAME MODE REPLICAS IMAGE PORTS abc123def456 mystack_my-app replicated 1/1 nginx:1.23

Access the secret inside the running container by reading the file where Docker mounts the secret. This confirms the secret is available inside the container.

Terminal

docker exec $(docker ps -q -f name=mystack_my-app) cat /run/secrets/db_password

Expected OutputExpected

supersecret123

Key Concept

If you remember nothing else from this pattern, remember: Docker secrets keep sensitive data out of images and environment variables by securely injecting them at runtime.

Common Mistakes

Trying to use Docker secrets with a standalone container instead of a Docker swarm service or stack.

Docker secrets only work with swarm services or stacks, not with simple docker run containers.

Use Docker swarm mode and deploy secrets with stacks or services, not standalone containers.

Including secret values directly in environment variables or Dockerfiles.

This exposes secrets in image layers or process lists, risking leaks.

Use Docker secrets to inject sensitive data securely at runtime.

Not removing the secret file from the host after creating the Docker secret.

Leaving secret files on disk can expose sensitive data to unauthorized users.

Delete secret files from the host after creating Docker secrets to keep them safe.

Summary

Create a secret file with the sensitive data.

Use 'docker secret create' to add the secret to Docker's secret store.

Deploy your app as a Docker stack or service referencing the secret.

Verify the secret is available inside the running container securely.