About secrets In terms of Docker Swarm services, a secret is a blob of data, such as a password, SSH private key, SSL certificate, binary option secrets another piece of data that should not be transmitted over a network or stored unencrypted in a Dockerfile or in your application’s source code. 13 and higher, you can use Docker secrets to centrally manage this data and securely transmit it to only those containers that need access to it. Note: Docker secrets are only available to swarm services, not to standalone containers. To use this feature, consider adapting your container to run as a service.
Stateful containers can typically run with a scale of 1 without changing the container code. Another use case for using secrets is to provide a layer of abstraction between the container and a set of credentials. Consider a scenario where you have separate development, test, and production environments for your application. Each of these environments can have different credentials, stored in the development, test, and production swarms with the same secret name. Your containers only need to know the name of the secret to function in all three environments.
You can also use secrets to manage non-sensitive data, such as configuration files. 06 and higher support the use of configs for storing non-sensitive data. Configs are mounted into the container’s filesystem directly, without the use of a RAM disk. 06 and higher include support for secrets on Windows containers. Where there are differences in the implementations, they are called out in the examples below.
Microsoft Windows has no built-in driver for managing RAM disks, so within running Windows containers, secrets are persisted in clear text to the container’s root disk. However, the secrets are explicitly removed when a container stops. In addition, Windows does not support persisting a running container as an image using docker commit or similar commands. Secret files with custom targets are not directly bind-mounted into Windows containers, since Windows does not support non-directory file bind-mounts. Symbolic links are used to point from there to the desired target of the secret within the container. When creating a service which uses Windows containers, the options to specify UID, GID, and mode are not supported for secrets.
Secrets are currently only accessible by administrators and users with system access within the container. How Docker manages secrets When you add a secret to the swarm, Docker sends the secret to the swarm manager over a mutual TLS connection. The secret is stored in the Raft log, which is encrypted. The entire Raft log is replicated across the other managers, ensuring the same high availability guarantees for secrets as for the rest of the swarm management data. Warning: Raft data is encrypted in Docker 1. If any of your Swarm managers run an earlier version, and one of those managers becomes the manager of the swarm, the secrets are stored unencrypted in that node’s Raft logs.
Before adding any secrets, update all of your manager nodes to Docker 1. 13 or higher to prevent secrets from being written to plain-text Raft logs. When you grant a newly-created or running service access to a secret, the decrypted secret is mounted into the container in an in-memory filesystem. You can specify a custom location in Docker 17.
You can update a service to grant it access to additional secrets or revoke its access to a given secret at any time. When a container task stops running, the decrypted secrets shared to it are unmounted from the in-memory filesystem for that container and flushed from the node’s memory. If a node loses connectivity to the swarm while it is running a task container with access to a secret, the task container still has access to its secrets, but cannot receive updates until the node reconnects to the swarm. You can add or inspect an individual secret at any time, or list all secrets. You cannot remove a secret that a running service is using. See Rotate a secret for a way to remove a secret without disrupting running services. To update or roll back secrets more easily, consider adding a version number or date to the secret name.