Best Practise : Storing Private Key in Image for encrypting user data and save them to DB when running (--SECRET , ENV , ARG )

I am looking to become better familiar with Docker and understand the concepts. My question is about the --secret.

As I understand --secret is great for encrypting sensitive data so it doesn’t leave traces during build etc.

  • E.g. Getting the source code from git private repo.

The keys become available in run/secret and can be read during run.

It also plays an essential role whether you use docker build, docker-compose build or docker compose.

Concrete:
I want to use a key to store certain user data encrypted on the DB and decrypt it if necessary.

Best practice question:
Where and how should a key be stored ?

My approach:
I don’t want to store the private key on the host as a file, I would prefer to read it from memory like run/secret.
This works for me with docker-compose build locally. Because the orchestration is done by docker.

(ENV : As environment variable I don’t want to store it, because someone who has access on the host can read it too. )
ISSUE: Now when I build the image and run it on a PAAS, run/secret is no longer available since the orchestration is not taken care by Docker.

My question would be : how/where can and should I store such a private-key. ?
What is state of the art approach ?

I am banging my head on this and would appreciate any help

Docker secrets work with Docker Swarm, but eventually the secrets will be readable by anyone who can access the nodes/containers so you still need to make sure that not everyone can do that. Ther eis an old video about secrets in general and also about HashiCorp Vault which can make your secret more secure (I am sure you could find a more recent video as well)

At the end of the video it mentions a URL to a white paper which is not available anymore, but you can read the following post too to understand how you can use it with Docker