0
0
DockerHow-ToBeginner · 3 min read

How to Use Docker Secrets for Secure Data Management

Use docker secret create to add secrets, then reference them in your docker service create command with --secret. Docker secrets are securely stored and only accessible to services that need them.
📐

Syntax

Docker secrets are managed with these main commands:

  • docker secret create [secret_name] [file]: Creates a secret from a file.
  • docker service create --secret [secret_name]: Adds the secret to a service.
  • docker secret ls: Lists all secrets.
  • docker secret rm [secret_name]: Removes a secret.

Secrets are stored encrypted and mounted inside containers at /run/secrets/[secret_name].

bash
docker secret create my_secret ./password.txt

docker service create --name my_service --secret my_secret nginx
💻

Example

This example shows how to create a secret from a file and use it in a Docker service.

bash
# Create a file with secret data
echo "my_password" > password.txt

# Create the secret in Docker
docker secret create db_password password.txt

# Create a service that uses the secret

docker service create --name my_db_service --secret db_password nginx

# Inside the container, the secret is available at /run/secrets/db_password
Output
db_password my_db_service
⚠️

Common Pitfalls

Common mistakes when using Docker secrets include:

  • Trying to use secrets in standalone containers instead of Docker Swarm services; secrets only work with services.
  • Not mounting the secret correctly in the service, so the container cannot access it.
  • Storing secrets in environment variables or image layers, which is insecure.
  • Forgetting to remove secrets when no longer needed, which can clutter the secret store.
bash
## Wrong: Using secrets with docker run (won't work)
docker run --name test_container --secret db_password nginx

## Right: Use secrets with docker service create

docker service create --name test_service --secret db_password nginx
📊

Quick Reference

CommandDescription
docker secret create [name] [file]Create a secret from a file
docker secret lsList all secrets
docker secret rm [name]Remove a secret
docker service create --secret [name]Use a secret in a service
/run/secrets/[name]Path inside container where secret is available

Key Takeaways

Docker secrets securely store sensitive data and are only accessible to authorized services.
Create secrets from files using 'docker secret create' and attach them to services with '--secret'.
Secrets work only with Docker Swarm services, not standalone containers.
Secrets appear inside containers at '/run/secrets/[secret_name]' as files.
Avoid storing secrets in environment variables or image layers for security.

Related by keyword

Docker exec vs docker attach: Key Differences and UsageContainersDocker run vs docker create: Key Differences and UsageContainersHow to Persist Data in Docker: Volumes and Bind Mounts ExplainedVolumesHow to Start Docker: Simple Steps to Run Docker EngineGetting StartedHow to Push Docker Image to Docker Hub: Step-by-Step GuideImages

Up next

How to Use Docker in Jenkins: Simple Guide for BeginnersHow to Use Docker Layer Caching in CI for Faster BuildsDocker prune vs system prune: Key Differences and UsageHow to Check Container Health in Docker: Commands & Examples

More in Security

Docker Security Best Practices: How to Secure Your ContainersHow to Avoid Running as Root in Docker ContainersHow to Limit Container Resources in Docker: Memory & CPU LimitsHow to Scan Docker Image for Vulnerabilities Quickly