How to use docker secret create command to manage sensitive data

Introduction

In this lab, you will learn how to effectively manage sensitive data within your Docker environment using the docker secret create command. You will explore different methods for creating secrets, including reading data from standard input (STDIN) and from a file.

The lab will guide you through the process of creating secrets with specific names and from different sources. You will also learn how to add labels to your secrets for better organization and how to inspect the details of the secrets you have created to verify their content and configuration. This hands-on experience will equip you with the fundamental skills needed to secure sensitive information when deploying applications with Docker Swarm.

Skills Graph

Create a secret from STDIN

In this step, you will learn how to create a Docker secret by reading data from standard input (STDIN). This is useful for providing sensitive information to a container without storing it directly in a file on the host system.

First, let's create a simple secret containing a password. We will use the echo command to output the password and pipe it to the docker secret create command.

echo "mysecretpassword" | docker secret create my_password_secret -

In this command:

• echo "mysecretpassword" outputs the string "mysecretpassword" to standard output.
• | is the pipe operator, which sends the output of the echo command as input to the next command.
• docker secret create is the command to create a new Docker secret.
• my_password_secret is the name we are giving to this secret.
• - tells docker secret create to read the secret data from STDIN.

You should see the ID of the newly created secret as the output.

Create a secret from a file

In this step, you will learn how to create a Docker secret from the content of a file. This is a common method for managing secrets like API keys, certificates, or configuration files.

First, let's create a simple file containing some sensitive data. We will create a file named api_key.txt in your home directory (~/project).

echo "my_super_secret_api_key_12345" > ~/project/api_key.txt

This command uses echo to write the string "my_super_secret_api_key_12345" into the file ~/project/api_key.txt.

Now, we will create a Docker secret using the content of this file.

docker secret create my_api_key_secret ~/project/api_key.txt

In this command:

• docker secret create is the command to create a new Docker secret.
• my_api_key_secret is the name we are giving to this secret.
• ~/project/api_key.txt is the path to the file containing the secret data. Docker will read the content of this file and store it as the secret.

You should see the ID of the newly created secret as the output.

Create a secret with labels

In this step, you will learn how to add labels to a Docker secret when you create it. Labels are key-value pairs that you can attach to Docker objects to help organize and identify them. This is particularly useful in larger deployments.

We will create another secret from STDIN, but this time we will add labels to it.

echo "anothersecretvalue" | docker secret create --label env=production --label app=webserver my_labeled_secret -

In this command:

• echo "anothersecretvalue" provides the secret data via STDIN.
• docker secret create is the command to create the secret.
• --label env=production adds a label with the key env and the value production.
• --label app=webserver adds another label with the key app and the value webserver. You can add multiple labels by repeating the --label flag.
• my_labeled_secret is the name of the secret.
• - indicates that the secret data should be read from STDIN.

You should see the ID of the newly created secret as the output. Adding labels helps you categorize your secrets, making them easier to manage and filter later.

Inspect the created secret

In this step, you will learn how to inspect the details of a Docker secret using the docker secret inspect command. This command provides detailed information about a secret, including its ID, name, creation time, and any labels associated with it.

Let's inspect the secret we created in the previous step, my_labeled_secret.

docker secret inspect my_labeled_secret

This command will output a JSON object containing the details of the my_labeled_secret. You should see information like the secret's ID, its name (my_labeled_secret), the time it was created, and the labels we added (env=production and app=webserver).

Note that the actual secret data is not displayed when you inspect a secret for security reasons.

You can also inspect the other secrets we created:

docker secret inspect my_password_secret
docker secret inspect my_api_key_secret

Inspecting secrets is a useful way to verify their existence, check their configuration, and confirm that labels have been applied correctly.

Summary

In this lab, you learned how to effectively manage sensitive data within Docker using the docker secret create command. You practiced creating secrets by reading data directly from standard input (STDIN), which is useful for avoiding storing sensitive information in files on the host. You also learned how to create secrets from the content of a file, a common method for managing various types of sensitive data like API keys or certificates.

Furthermore, you explored how to enhance secret management by adding labels during creation, allowing for better organization and identification of secrets. Finally, you learned how to inspect the details of created secrets to verify their configuration and content (though the full inspection step details were not provided in the summary). These techniques provide secure ways to handle sensitive information within your Docker environment.