🔐 Using Secrets with Local Docker Compose: Secure Your Config Like a Pro!

Docker Compose is a handy tool for running multi-container applications. But when it comes to storing sensitive information—like API keys, database passwords, or secret tokens—hardcoding them in your docker-compose.yml is a big no-no. 🧨

Luckily, Docker Compose supports a secrets feature to keep things safe—even in local development!

Let’s walk through how to use secrets with local Docker Compose like a pro. 💪

---

🧠 What Are Docker Secrets?

Docker secrets allow you to store confidential data outside your code. These secrets can be files or values that your services read securely at runtime.

In Swarm mode, secrets are managed by the orchestrator. But in local development (non-Swarm), we can still use secrets with Docker Compose, just in a slightly different way.

---

🏗️ Folder Structure Example

.
├── docker-compose.yml
├── secrets/
│   ├── db_password.txt
│   └── api_key.txt

You store your secrets as plain text files in a folder (e.g., secrets/).

---

🛠️ Step-by-Step: How to Use Secrets in Local Docker Compose

1. 📝 Create Secret Files

Each secret should be in its own file:

# secrets/db_password.txt
super-secret-password

# secrets/api_key.txt
my-very-secret-api-key

🔐 Keep the secrets/ folder out of version control by adding it to .gitignore!

# .gitignore
secrets/

---

2. 🧾 Update docker-compose.yml

Here’s how to use secrets in Compose (v3+):

version: '3.8'

services:
  app:
    image: your-app-image
    build: .
    secrets:
      - db_password
      - api_key
    environment:
      DB_PASSWORD_FILE: /run/secrets/db_password
      API_KEY_FILE: /run/secrets/api_key

  db:
    image: postgres
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
    secrets:
      - db_password

secrets:
  db_password:
    file: ./secrets/db_password.txt
  api_key:
    file: ./secrets/api_key.txt

---

✅ What Happens Behind the Scenes?

Docker Compose mounts the secret files inside the container at:

/run/secrets/<secret_name>

Your app should read the content of the file, not expect it as an environment variable.

For example, in Node.js you could do:

const fs = require('fs');

const dbPassword = fs.readFileSync('/run/secrets/db_password', 'utf-8').trim();
console.log('DB Password:', dbPassword);

---

💡 Pro Tips

• 🧪 Use docker-compose down -v to clear secrets and volumes when stopping services.
• 🔍 Never log secret values in your console or logs.
• 👀 Use .env files only for non-sensitive config in dev.

---

🧹 Bonus: Add Some Automation

You can create a script to generate secret files easily:

#!/bin/bash
mkdir -p secrets
echo "super-secret-password" > secrets/db_password.txt
echo "my-very-secret-api-key" > secrets/api_key.txt
echo "✅ Secrets created!"

---

🎉 Wrapping Up

Using secrets in local Docker Compose isn’t just for pros—it’s for anyone who wants to write secure, production-like local setups. With just a few simple steps, you can keep your secrets safe and your app happy.

Remember: Treat your local setup like production and your future self will thank you!