How do you pass secrets to docker at runtime?

I understand this has been brought up before in Linux community but I’m wondering how do you pass securily some runtime parameters to container. For example I create username/password in EntryPoint script which shall be different during runtime for different environments. I used to use Environment variables but those exists within container after initialization (not concerned them available on host). The solution at least for my problem is just to remove those environment variables once initialisation is done but I can not seem to locate in externall powershell session once logged in container.
Powershell 5 provides excellent ways to deal with it with Protect-CMSMessage which is based PKI to encrypt/decrypt securables. I hope Docker/Microsoft has some sort of guidlines the best way to handle this situation applicable to Windows Containers.

@artisticcheese - I am using a Linux container but I think it will behave the same, meaning that the environment variables will be defined repeatedly for every session that is open to the container. I think you’ll be interested in my suggestion as well.

I am using it to deploy logic in customers networks, while the customer is responsible for the setup itself, and need to be able to configure different secrets for different customers. Because of the nature of my deployment I don’t want to use swarm or load my customers with mounting and managing volumes. (please consider that I give my customer the freedom to choose on which OS he runs the container, and therefore I don’t want to spend time on developing supporting tools for each OS and would like the ability to work with docker command only)
Something like env variables that are passed only for “docker run” would be perfect for me as at this point my container uses the secrets to configure everything it needs and doesn’t care for restarts from that point on.
Is there a formal/workaround way to do something like that?
Will it be possible to implement let’s say “run variables” (passed with -re instead of -e) that will apply only to the “run environment”?
Implementing a variable removal functionality will get the same results and will be just as helpful!