This content originally appeared on DEV Community and was authored by SOVANNARO
When deploying applications with Docker Swarm, you’ll often run into a common problem: how do you securely handle secrets like API keys, database passwords, and tokens? Storing them in .env files or hardcoding them into your docker-compose.yml is dangerous — especially in production.
In this post, let’s break down why Swarm secrets are important, how to use them, and a real-world example to make your apps more secure and production-ready. 🔒
🤔 Why Not Just Use .env Files?
Environment variables in .env files are fine for local development, but:
- They can accidentally get committed to Git.
- Anyone with access to the container can read them via
docker inspectorps. - They are not encrypted and not safe for production.
If your production secrets are stored in plaintext, it's like locking your house but leaving the key under the doormat.
🧪 Enter: Docker Swarm Secrets
Docker Swarm provides a built-in way to securely store and manage secrets, such as passwords, TLS certificates, or SSH keys. These secrets are:
- Stored encrypted at rest.
- Exposed only to services that need them.
- Mounted as read-only files inside containers.
- Never exposed in
docker inspect, logs, orps.
⚙️ How to Create and Use Secrets in Swarm
Let’s go step-by-step with a practical example:
1. 🧪 Create a Secret
echo "my-super-secret-password" | docker secret create db_password -
This creates a secret named
db_password.
2. 🔐 Use the Secret in a Service
Let’s say you have a MySQL container that needs the password:
# docker-compose.yml (Swarm version)
version: '3.9'
services:
mysql:
image: mysql:8
environment:
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_password
secrets:
- db_password
deploy:
replicas: 1
secrets:
db_password:
external: true
Notice how we use
_FILEto read the secret from a mounted file. Docker injects it to/run/secrets/db_password.
3. 🚀 Deploy with Swarm
docker stack deploy -c docker-compose.yml my_stack
That’s it! 🎉 Your container now securely uses the secret without exposing it as an environment variable.
🧼 Best Practices for Using Docker Secrets
✅ Use _FILE suffix whenever possible — this tells your app to read from the file, not an env var.
✅ Avoid docker secrets create in CI — instead, automate it via scripts or CI/CD tools.
✅ Rotate secrets regularly. You can update them by removing and recreating them with the same name.
✅ Use access control — only services that need the secret should have access.
🛡️ Real-World Analogy
Think of Docker secrets like bank safety deposit boxes:
- You (Swarm manager) create the box (secret).
- Only specific people (containers/services) can view inside.
- No one else in the building (host or other containers) can peek in.
Much safer than hiding cash under your pillow (.env).
🧠 Final Thoughts
If you’re building secure, production-ready applications with Docker Swarm, you should never store secrets as environment variables.
Instead, leverage Docker Secrets to protect your sensitive data with minimal effort and maximum security. 🔐
📘 Bonus: Tools That Work Well with Docker Secrets
- 🔐 HashiCorp Vault
- 🛠️ Docker configs — for non-sensitive config files
- 🔄 sops + GitOps for encrypted secrets in Git
Need help setting this up for your own app? Drop a comment or reach out — happy to help!
This content originally appeared on DEV Community and was authored by SOVANNARO
SOVANNARO | Sciencx (2025-06-28T15:16:54+00:00) 🛡️ Secrets Storage for Docker Swarm: Protecting Your Environment Variables Like a Pro. Retrieved from https://www.scien.cx/2025/06/28/%f0%9f%9b%a1%ef%b8%8f-secrets-storage-for-docker-swarm-protecting-your-environment-variables-like-a-pro/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.