Skip to content

How to keep docker secrets secure

Secret values such as API keys, passwords, and certificates need to be safely handled throughout the software development process and your app’s runtime. Exposure of secrets can be catastrophic, as unauthorized actors could use the credentials to perform privileged interactions with your services.

What is Docker Secrets

Docker secrets are a secure way to manage sensitive data, such as passwords, API keys, and certificates data up to 500kB in size, in a Docker Swarm environment. They allow you to store and manage sensitive information separately from your application code, ensuring that it is not exposed in your source code or Docker images.

In Docker Swarm, these secrets are securely stored on the master node and then shared only with the worker nodes that require them. They are encrypted and well-protected. Unlike regular files on a file system, Docker Swarm secrets are stored in memory as data rafts, making it difficult for anyone to simply open and read them.

Docker Compose VS Docker Swarm?

Before we proceed, it’s important to grasp the key difference between Docker Compose and Docker Swarm, as it will help you understand why they handle things differently.

Docker Compose is primarily designed to simplify the process of defining and running multi-container Docker applications. It uses a simple YAML file to configure the services, networks, and volumes required to run multiple containers simultaneously. Docker Compose is particularly useful during the development phase, allowing developers to define the services required for their application and run them with a single command.

On the other hand, Docker Swarm serves as an orchestration tool that helps you manage and run multiple containers across multiple host machines. It’s designed for scaling and orchestrating containers across a cluster of machines.

Tip

If you're not planning on deploying with Swarm, use Docker Compose instead.

Docker Compose supports the build section to build images from a Dockerfile, while Docker Swarm does not. In Docker Swarm, you must pre-build your images and push them to a Docker registry.

name: gridlab-pssx

services:
  apihost:
    image: gridlab.pssx/apihost:latest
    container_name: pssx-apihost
    build:
      context: ./
      dockerfile: src/GridLab.PSSX.AuthServer/Dockerfile.Local
    ...