Strange, I'm just writing an article about this.
I would advise against using environment variables to keep secrets, mainly for the reasons Diogo Monica describes here ; they are visible in many places (associated containers, docker inspection, child processes) and are likely to get into debugging information and problem reports. I don’t think that using an environment variable file will help alleviate any of these problems, although it will stop the values that will be stored in your shell’s history.
Instead, you can pass your secret in, for example:
$ docker run -v $(pwd)/my-secret-file:/secret-file ....
If you really want to use an environment variable, you can pass it as a script to be sent, which will at least hide it from checked and related containers (e.g. CMD source /secret-file && /run-my-app )
The main disadvantage of using the volume is that you run the risk of accidentally checking the file in version control.
A better, but more complicated solution is to get it from a store of key values such as etcd (with crypt ), keywhiz, or vault .
Adrian mouat
source share