Managing Docker Secrets and Configs in Swarm: A Practical Guide
When deploying applications in Docker Swarm, security and configuration management are critical. That’s where Docker Secrets and Docker Configs come in. They provide a secure and efficient way to handle sensitive information (like passwords and certificates) and configuration files across distributed environments.
In this article, we’ll explore how they work, why they matter, and how to use them effectively in your Swarm setup.
🔐 Docker Secrets
What Are Docker Secrets?
Docker Secrets are designed to store sensitive data such as:
- Database passwords
- TLS/SSL certificates
- API keys and tokens
Secrets are encrypted at rest and in transit and are only accessible to the services that need them inside Swarm.
How to Use Docker Secrets
1. Create a Secret
From a file:
echo "my_db_password" | docker secret create db_password -
Interactively:
docker secret create db_password_v2 -
# You’ll be prompted to enter the value
2. Attach a Secret to a Service
docker service create \
--name mysql \
--secret source=db_password,target=db_password \
-e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_password \
mysql:latest
3. Access Secrets Inside a Container
cat /run/secrets/db_password
Useful Commands for Secrets
| Command | Description |
|---|---|
docker secret create |
Create a new secret |
docker secret ls |
List all secrets |
docker secret inspect |
Show secret details |
docker secret rm |
Remove a secret |
⚙️ Docker Configs
What Are Docker Configs?
While Secrets handle sensitive data, Configs are for non-sensitive configuration files like:
- Application settings
- JSON or YAML configs
- Nginx or Apache configs
Unlike Secrets, Configs are not encrypted but provide a convenient way to version and manage configuration centrally.
How to Use Docker Configs
1. Create a Config
docker config create nginx_conf /path/to/nginx.conf
2. Attach Config to a Service
docker service create \
--name web \
--config source=nginx_conf,target=/etc/nginx/nginx.conf \
-p 80:80 \
nginx:latest
3. Update a Config
docker config create nginx_conf_v2 /path/to/new-nginx.conf
docker service update \
--config-rm nginx_conf \
--config-add source=nginx_conf_v2,target=/etc/nginx/nginx.conf \
web
Useful Commands for Configs
| Command | Description |
|---|---|
docker config create |
Create a new config |
docker config ls |
List configs |
docker config inspect |
Show config details |
docker config rm |
Remove a config |
🔄 Using Secrets and Configs Together
# Create a secret and config
echo "admin123" | docker secret create admin_pass -
docker config create app_settings ./settings.json
# Deploy a service
docker service create \
--name myapp \
--secret admin_pass \
--config source=app_settings,target=/app/config.json \
myapp_image:latest
✅ Best Practices
- Never store secrets in images → Always use
--secretinstead of ENV variables. - Restrict access → Only Manager nodes can manage secrets and configs.
- Version your configs → Use suffixes like
_v1,_v2for clarity. - Document dependencies → Clearly define which services require which secrets/configs.
📦 Docker Compose with Swarm
Example docker-compose.yml:
version: "3.8"
services:
web:
image: nginx:latest
configs:
- source: nginx_conf
target: /etc/nginx/nginx.conf
secrets:
- source: db_password
target: db_password
configs:
nginx_conf:
file: ./nginx.conf
secrets:
db_password:
file: ./db_password.txt
Deploy the stack:
docker stack deploy -c docker-compose.yml myapp
🚀 Conclusion
Docker Secrets keep your sensitive data safe, while Docker Configs help manage configuration files seamlessly. Together, they make your Swarm services more secure, reliable, and easier to maintain.
👉 Start applying them in your next deployment to reduce risks and simplify operations.
📖 Learn more in the official docs:
🚀 Explore more guides on our blog 👉 blog.1it.pro
📧 Contact us: admin@1it.pro for expert IT guidance.
🌐 Explore more: Visit 1it.pro for top-tier IT solutions.