DigitalOcean

Question

How can I securely store environment variables like API keys in my Docker containers?

I’m running a few Docker containers on my Droplet, and some of these apps require sensitive data like API keys and database credentials. Right now, I’m passing them directly in the Docker run command with -e, but I’m worried this isn’t secure. What are some best practices for securely storing and managing environment variables in Docker containers? Should I be using something like Docker secrets, and how does that work on a single Droplet?

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
October 8, 2024

Hey there 👋,

If you’re using Docker in a Swarm or Kubernetes setup, Docker Secrets is a great way to securely manage sensitive information. Secrets are encrypted and are only available to the containers that need them. However, this feature isn’t available for standalone Docker instances (like on a single Droplet), but it’s something to keep in mind if you’re using orchestration tools.

For Docker Swarm:

docker secret create my_secret_file /path/to/secret/file

You can then access the secret inside your container via a mounted file.

Another simpler approach you can take for single-Droplet setups is using .env files. Store your environment variables in a .env file and then reference them inside your docker-compose.yml or docker run commands.

Example .env file:

API_KEY=your-api-key
DB_PASSWORD=your-db-password

You can load this file when running the container:

docker run --env-file .env your_image

Or in your docker-compose.yml:

version: "3"
services:
  app:
    image: your_image
    env_file:
      - .env

If you don’t want to use .env files, you can also mount a volume with a file containing the sensitive data. This way, you don’t expose secrets as environment variables but instead as files in your container.

Example:

docker run -v /path/to/secret_file:/run/secrets/secret your_image

Hope that helps!

- Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.