I'm trying to understand why Docker secrets are considered more secure than traditional .env files in a docker-compose setup. I know that storing secrets in .env files can be risky since their values can be exposed through docker inspect, allowing anyone with access to the Docker daemon to see them. Docker secrets help mitigate this by mounting secrets as files in /run/secrets/ instead of using environment variables, which keeps them hidden from docker inspect. However, I'm confused about a potential vulnerability: if an attacker can run docker exec inside a container, they could easily cat /run/secrets/ to read the secret anyway. So, is Docker secrets primarily beneficial for preventing sensitive information from appearing in logs?
1 Answer
You’re right that if someone has access to your Docker daemon, they can probably get to your secrets regardless. But using Docker secrets is more about minimizing the chances of accidental exposure—like those times when .env files end up in logs or source control. By using secrets, you limit the scenarios where they might be unknowingly leaked, making it harder for someone to stumble upon them by accident.
Exactly! It’s all about reducing the opportunities for mistakes. Unlike .env files, Docker secrets are loaded into the container environment securely, and with integrations for vaults, developers working on production don’t typically need to see the secrets at all.