How Can I Secure Sensitive Information in My Docker Compose Files?

Check out Doppler Secret Manager. They have a free tier that could really help you manage your secrets effectively.

Just a heads-up: if someone gains access to your server, they could utilize docker exec along with export commands to read the secret env variables. So I'd recommend setting your docker-compose.yml permissions to 0600. That should add an extra layer of security.

A solid approach is to utilize a .env file, as it loads automatically during the build process. You can verify your variables beforehand by running `docker compose config` to see the complete file that Docker will build. If it's possible, try running your container in a rootless mode. Also, remember to never push your .env file to git. A neat tip is to create an `.env.example` file with all your keys and add that to git instead.

Make sure to steer clear of directly exposing any sensitive values in your compose file. I use Docker secrets and mount them at the standard `/run/secrets/X` location in the container. I rely on environment variables which are injected through the .env file. Just remember, if your host is compromised, your secrets are too. It's all about recovery—nuke the host and rotate the secrets if that happens.