From what I understand, Docker secrets
and mounts (bind and volume) are all secure ways of managing secrets within a Docker container. I am wondering whether secrets
has any security advantages?
I have an arbitrarily sized group of secrets. The secrets are kept in separate files in a folder. They periodically and automatically change. I want to make all of them available to a Docker container. Using a bind mount, I can mount their folder and they will all be accessible. Using secrets
, I would have to specify each one in the Docker Compose file, increasing coupling and reducing maintainability. Is there any reason I should choose to go with secrets
at the cost of maintainability?
2
Answers
if you are not using swarm, it is of no use to you.
using secrets has the following advantages
you can leverage secrets in docker compose, which bring the secrets features to containers regardless of swarm. docker compose just gives a nice interfacefacede for mounting a secret file and exposing it to the container with a its naming conventions.
I was thinking the same recently, not wanting to actually use Docker Swarm or running anything distributed. In my case, the starting point was a project using
.env
containing secrets. If you have a simple Docker Compose project, there is no added value from using Docker secrets managed viadocker secret
. Note that without actually being a Swarm manager, you cannot even create secrets withdocker secret
!Unbeknownst to many, Docker Compose actually has support for mounting secrets just like Docker Swarm, with the exception that it only works for local files. So this would be a valid Docker Compose config:
You don’t really gain a lot of extra security or added value here, apart from the fact that you separate the volumes and other types of configuration (via env) from the secrets, which provides a little bit of extra safeguard against accidentally committing a secret to a repository, or mounting the wrong file to the wrong container, etc.