Docker Secrets

In this blog, we will be learning Docker secrets. Docker secrets offer a secure way to store sensitive information such as usernames, passwords, and even files like self-signed certificates, ssh keys.

Consider the below command -

docker run --name some-mysql -e MYSQL_ROOT_PASSWORD=mypassword -d mysql:tag

It's not a secure way to share the password through the command line or through the environment variable.

Let's dive right in and see how to create secrets.

docker secret create

Creates a secret using standard input or from a file for the secret content.


docker secret create [OPTIONS] SECRET [file|-]


--driver , -d: Secret driver
--label , -l: Secret labels
--template-driver: Template driver


Creating a secret-

# docker secret secretName -

Do not miss the '-' in the last, as it reads the standard input.

The above command will expect an input from you which will be the password. Enter the password and hit ctrl+D to exit -


root@master:~# docker secret create dbpass -
root@master:~# docker secret ls
ID                          NAME      DRIVER    CREATED          UPDATED
zkdsviynv8bogg6eu32c4rhh0   dbpass              16 seconds ago   16 seconds ago

Let's inspect the above password to check if it is exposing any of the provided secrets -

root@master:~# docker secret inspect dbpass
        "ID": "zkdsviynv8bogg6eu32c4rhh0",
        "Version": {
            "Index": 340
        "CreatedAt": "2021-11-21T19:04:28.242077255Z",
        "UpdatedAt": "2021-11-21T19:04:28.242077255Z",
        "Spec": {
            "Name": "dbpass",
            "Labels": {}

This was one of the ways to encrypt the data. You can also provide the password using a stored file. Create a file testpw and add password mytestpwfile in it.

root@master:~# echo "mytestpwfile">testpw
root@master:~# ls
root@master:~# cat testpw

To create the secret using this file, run the following command-

root@master:~# docker secret create mytestfile testpw
root@master:~# docker secret ls
ID                          NAME         DRIVER    CREATED          UPDATED
zkdsviynv8bogg6eu32c4rhh0   dbpass                 20 minutes ago   20 minutes ago
oq4t76x6ird65lg5t25jfeams   mytestfile             14 seconds ago   14 seconds ago

The secret we created can only be used by the service it is being assigned to.

root@master:~# docker service create -d --secret dbpass alpine ping
root@master:~# docker service ps vr
ID             NAME                      IMAGE           NODE       DESIRED STATE   CURRENT STATE           ERROR     PORTS
87s41vxfd7sd   agitated_grothendieck.1   alpine:latest   worker01   Running         Running 8 seconds ago

The above command makes sure that this service container only will have the right to use the dbpass secret.

Where does the docker save the secrets?

Docker swarm worker nodes save the secrets at the path /run/secrets/. And this can be verified as follows -

on worker01 node where service's container available

root@worker01:~# docker ps
CONTAINER ID   IMAGE           COMMAND          CREATED          STATUS          PORTS     NAMES
69c1447b6e51   alpine:latest   "ping"   15 seconds ago   Up 15 seconds             agitated_grothendieck.1.87s41vxfd7sdu0mkms2cdwkch
root@worker01:~# docker container exec -it 69 sh
/ # cd /run/secrets/
/run/secrets # ls
/run/secrets # cat dbpass
/run/secrets #