How to securely store secrets in Docker container?

Docker Secrets is the new recommended method for sharing & storing secrets inside containers. Docker deliberately opted to store secrets in files under /run/secrets over the environment variable approach.


Generally speaking you have to assume tighter security for the instance that's running the container than the container itself because, as you point out, a compromise there affects everything downstream. This is the same with the VM host that's running your ec2 instance.

A standard solution is to pass secrets into the container via environment variable. I've also seen solutions (for secrets stored in Hashicorp Vault) that create a fuse filesystem that's mounted into the container or a similar approach using a Docker volume driver. This isn't quite as straightforward, but may be easier if you're passing lots of secrets.