DEV Community

Abhay Singh Kathayat
Abhay Singh Kathayat

Posted on

Master Docker Secrets: Securely Managing Sensitive Data

#dockersecrets #docker #security #devops

Docker Secrets Management: Safeguarding Sensitive Data

Docker Secrets is a feature designed to securely store and manage sensitive information, such as passwords, API keys, and TLS certificates, used by your containers. It ensures that such sensitive data is encrypted, shared only with authorized services, and never exposed in plaintext in container layers or logs.

Key Features of Docker Secrets

  1. Encryption:

    Secrets are encrypted during storage and transmission within a Docker Swarm.

  2. Access Control:

    Secrets are only available to services that explicitly request them. They are mounted as read-only in containers.

  3. Ease of Use:

    Secrets can be created, updated, and distributed seamlessly within a Swarm cluster.

How Docker Secrets Work

  1. Create a Secret: Use the docker secret create command to create a secret. 
   echo "my_secure_password" | docker secret create db_password -
Enter fullscreen mode Exit fullscreen mode

  1. Use Secrets in a Service:

    Reference the secret in a service definition using a docker-compose.yml file or Docker CLI.

  2. Deploy the Service:

    The secret becomes available to the service as a file in a predefined directory (/run/secrets/).

Steps to Use Docker Secrets

1. Create a Secret

Secrets can be created from the CLI:

echo "my_secure_password" | docker secret create db_password -
Enter fullscreen mode Exit fullscreen mode

2. Define Secrets in a docker-compose.yml

Here’s an example of how to define and use secrets in a docker-compose.yml file:

version: '3.8'

services:
  db:
    image: mysql:latest
    environment:
      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_password
    secrets:
      - db_password

secrets:
  db_password:
    external: true
Enter fullscreen mode Exit fullscreen mode

3. Deploy the Stack

Deploy the stack to a Swarm cluster:

docker stack deploy -c docker-compose.yml my_stack
Enter fullscreen mode Exit fullscreen mode

Managing Secrets

  • List Secrets: 
  docker secret ls
Enter fullscreen mode Exit fullscreen mode
  • Inspect a Secret: (Does not show content, only metadata) 
  docker secret inspect db_password
Enter fullscreen mode Exit fullscreen mode
  • Remove a Secret: 
  docker secret rm db_password
Enter fullscreen mode Exit fullscreen mode

Best Practices for Secrets Management

  1. Use Swarm Mode:

    Docker Secrets are only available in Swarm mode.

  2. Avoid Storing Secrets in Images:

    Never bake secrets into your Docker images or environment variables.

  3. Restrict Access:

    Only assign secrets to services that require them.

  4. Rotate Secrets:

    Periodically update and replace secrets to reduce risks.

Use Case Example

Imagine a database service that requires a root password. Instead of hardcoding the password in your environment variables or Dockerfile, you can securely store it as a Docker Secret. When the database container starts, it reads the password from /run/secrets/db_password.

Stay Connected

Follow me for more Docker and DevOps insights:

Let’s connect and discuss more secure development practices!

Top comments (0)

Read next

thecodebulb profile image

Beginners Guide To CDN

Harith Javed Bakhrani -

alphabetanetcom profile image

Secure Device Authentication in Python: Introducing the System Hardware ID Generator Script

Pavel Izosimov -

imsushant12 profile image

Key Components of a VPC: Detailed Breakdown

Sushant Gaurav -

eugene-zimin profile image

API Authentication: Part I. Basic Authentication

Eugene Zimin -