← Back to Blog

Managing Secrets in Docker: .env, Build Args, and Secrets Mount

April 6, 2026 3 min read By CodeTidy Team

The Secret Life of Docker: Managing Sensitive Data

We've all been there - stuck debugging a Docker container that just won't run, only to realize that a sensitive environment variable was hardcoded in the Dockerfile. Don't worry, we've got you covered. In this article, we'll dive into the world of Docker secrets management, exploring the best practices for keeping your sensitive data safe.

Table of Contents

  • Managing Secrets with .env Files
  • Using ARG and ENV in Dockerfiles
  • BuildKit Secrets Mount: A New Way to Manage Secrets
  • Docker Swarm Secrets: Centralized Secret Management
  • Best Practices for Managing Secrets in Docker

Managing Secrets with .env Files

One common approach to managing secrets in Docker is to use .env files. These files contain key-value pairs of environment variables that can be easily imported into a Docker container. Here's an example of a .env file:

DB_HOST=localhost
DB_PORT=5432
DB_USER=myuser
DB_PASSWORD=mypassword

To use this file in a Docker container, you can specify the --env-file flag when running the container:

docker run -it --env-file=.env myapp

This approach is simple and easy to manage, but it has some limitations. For example, if you need to share secrets across multiple containers or services, you'll need to duplicate the .env file or use a more complex configuration management system.

Using ARG and ENV in Dockerfiles

Another approach to managing secrets in Docker is to use ARG and ENV instructions in your Dockerfile. ARG allows you to define build-time variables, while ENV sets environment variables for the container at runtime. Here's an example Dockerfile that uses both:

# Set build-time variable
ARG DB_PASSWORD

# Set environment variable for container
ENV DB_HOST=localhost
ENV DB_PORT=5432
ENV DB_USER=myuser
ENV DB_PASSWORD=$DB_PASSWORD

In this example, the DB_PASSWORD variable is set at build-time using the ARG instruction. This allows you to pass in the password as a build argument when building the Docker image:

docker build -t myapp --build-arg DB_PASSWORD=mypassword .

BuildKit Secrets Mount: A New Way to Manage Secrets

BuildKit is a new build system for Docker that provides a more efficient and secure way to manage secrets. With BuildKit, you can mount secrets as files in the build environment, eliminating the need to pass sensitive data as environment variables or command-line arguments. Here's an example of how to use BuildKit secrets mount:

# syntax = docker/dockerfile:1

# Mount secret as file
RUN --mount=type=secret,id=mysecret,target=/myapp/secret.txt \
    cat /myapp/secret.txt

In this example, the mysecret secret is mounted as a file at /myapp/secret.txt in the build environment. You can then access the secret in your Dockerfile using the cat command.

Docker Swarm Secrets: Centralized Secret Management

Docker Swarm provides a centralized way to manage secrets across multiple containers and services. With Docker Swarm secrets, you can store sensitive data in a secure storage system and reference it in your services using a simple syntax. Here's an example of how to create a Docker Swarm secret:

docker secret create mysecret mypassword.txt

You can then reference the secret in your Docker Compose file:

version: '3'
services:
  myapp:
    image: myapp
    secrets:
      - mysecret

Best Practices for Managing Secrets in Docker

So, what's the best way to manage secrets in Docker? We recommend using a combination of .env files, ARG and ENV instructions, and BuildKit secrets mount. Here are some key takeaways to keep in mind:

  • Use .env files for simple use cases: .env files are easy to manage and work well for small projects or development environments.
  • Use ARG and ENV for build-time variables: ARG and ENV instructions provide a flexible way to manage secrets at build-time and runtime.
  • Use BuildKit secrets mount for secure builds: BuildKit secrets mount provides a secure way to manage secrets during the build process.
  • Use Docker Swarm secrets for centralized management: Docker Swarm secrets provide a centralized way to manage secrets across multiple containers and services.

Key Takeaways

  • Use a combination of .env files, ARG and ENV instructions, and BuildKit secrets mount to manage secrets in Docker.
  • Use Docker Swarm secrets for centralized secret management.
  • Avoid hardcoding sensitive data in Dockerfiles or environment variables.

FAQ

Q: What is the difference between ARG and ENV in Dockerfiles?

A: ARG sets build-time variables, while ENV sets environment variables for the container at runtime.

Q: How do I use BuildKit secrets mount in my Dockerfile?

A: You can use the --mount flag to mount secrets as files in the build environment.

Q: What is Docker Swarm secrets and how does it work?

A: Docker Swarm secrets is a centralized way to manage secrets across multiple containers and services. You can store sensitive data in a secure storage system and reference it in your services using a simple syntax.

Try These Tools

Env Diff

Compare .env files and find differences

Password Generator

Generate secure random passwords

AI agent tools available. The CodeTidy MCP Server gives Claude, Cursor, and other AI agents access to 60+ developer tools. One command: npx @codetidy/mcp