Docker Community Forums

Share and learn in the Docker community.

Docker config vs Docker secret


What is the main difference between docker config and docker secret in docker version 17.06.0-ce?


They both operate the same way, except secrets are encrypted whilst configs are not encrypted at rest. However, configs are still stored in the raft log which is encrypted so this is a little misleading.

So what should I rather use? In our infrastructure we have certificates and configuration files (json files). Can I safely use secrets for both or is it planned to combine these two parts in a way?

In my personal feeling, if it is passwords or private keys, etc, I use secret
If it is just config files, public keys, public certificate, anything not sensitive, I use config.

@wiziah: What does ‘not encrypted at rest’ mean?

The docker cli (docker config inspect, docker secret inspect) will return a base64 encoded data for the config case, but not for the secret case.

I observe the daemon api documentation shows that both the secret and config data is returned as base64 encoded. Can someone confirm that the secret is not exposed by the api?

Why don’t you simply source an ENV file in your entry point when the ENV file exists? It’s pretty common practice.

We mount a secret into /env on our containers all the time - that’s a mainstream pattern that is really helpful.