Run Docker in production with environment variables that are secret and cannot be seen on the server

Question

I need to send environment variables to my application running in a container but I understand that it is bad practice that the ".env" file is on the server since the "root" user could read it. What would be the best option to use these variables in my application and leave no trace on the server and without using Kubernetes?

Answer 1

There are several solutions, depending on your actual production stack:

(1) Running on a k8s cluster

Kubernete supports user uploading binary as a secret. You could mount the secret to your production pod to decouple your docker image and the secret.

https://kubernetes.io/docs/concepts/configuration/secret/

(2) Docker on a standalone server

This is an isomorphic solution to (1), but without native support from k8s.

https://docs.docker.com/storage/volumes/

(3) External Key management service

If you are using hosting your application on cloud, there are much more options for you to consider. Take azure as example, if you are hosting your application on a virtual machine, you could use service like Azure KeyVault:

https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts

The concept is that all your key is stored and obtained via connecting your server to the service. You could have the secret loaded in your application on the fly fetching from KeyVault, which prevent leaving secret footprint in your service instance. The connection between Key Management Service and your virtual machine could be configured in a password less way (iam in aws / managed identity in azure) to prevent having secret in your server.