🛡️ Secrets Storage for Docker Swarm: Protecting Your Environment Variables Like a Pro

This content originally appeared on DEV Community and was authored by SOVANNARO

When deploying applications with Docker Swarm, you’ll often run into a common problem: how do you securely handle secrets like API keys, database passwords, and tokens? Storing them in .env files or hardcoding them into your docker-compose.yml is dangerous — especially in production.

In this post, let’s break down why Swarm secrets are important, how to use them, and a real-world example to make your apps more secure and production-ready.

Why Not Just Use .env Files?

Environment variables in .env files are fine for local development, but:

• They can accidentally get committed to Git.
• Anyone with access to the container can read them via docker inspect or ps.
• They are not encrypted and not safe for production.

If your production secrets are stored in plaintext, it’s like locking your house but leaving the key under the doormat.

Enter: Docker Swarm Secrets

Docker Swarm provides a built-in way to securely store and manage secrets, such as passwords, TLS certificates, or SSH keys. These secrets are:

• Stored encrypted at rest.
• Exposed only to services that need them.
• Mounted as read-only files inside containers.
• Never exposed in docker inspect, logs, or ps.

How to Create and Use Secrets in Swarm

Let’s go step-by-step with a practical example:

1. Create a Secret

echo "my-super-secret-password" | docker secret create db_password -

This creates a secret named db_password.

2. Use the Secret in a Service

Let’s say you have a MySQL container that needs the password:

# docker-compose.yml (Swarm version)
version: '3.9'

services:
  mysql:
    image: mysql:8
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_password
    secrets:
      - db_password
    deploy:
      replicas: 1

secrets:
  db_password:
    external: true

Notice how we use _FILE to read the secret from a mounted file. Docker injects it to /run/secrets/db_password.

3. Deploy with Swarm

docker stack deploy -c docker-compose.yml my_stack

That’s it! Your container now securely uses the secret without exposing it as an environment variable.

Best Practices for Using Docker Secrets

Use _FILE suffix whenever possible — this tells your app to read from the file, not an env var.
Avoid docker secrets create in CI — instead, automate it via scripts or CI/CD tools.
Rotate secrets regularly. You can update them by removing and recreating them with the same name.
Use access control — only services that need the secret should have access.

Real-World Analogy

Think of Docker secrets like bank safety deposit boxes:

• You (Swarm manager) create the box (secret).
• Only specific people (containers/services) can view inside.
• No one else in the building (host or other containers) can peek in.

Much safer than hiding cash under your pillow (.env).

Final Thoughts

If you’re building secure, production-ready applications with Docker Swarm, you should never store secrets as environment variables.

Instead, leverage Docker Secrets to protect your sensitive data with minimal effort and maximum security.

Bonus: Tools That Work Well with Docker Secrets

• HashiCorp Vault
• Docker configs — for non-sensitive config files
• sops + GitOps for encrypted secrets in Git

Need help setting this up for your own app? Drop a comment or reach out — happy to help!

This content originally appeared on DEV Community and was authored by SOVANNARO