Do Docker secrets provide any additional security over a bind mount?

Question

From what I understand, Docker secrets and mounts (bind and volume) are all secure ways of managing secrets within a Docker container. I am wondering whether secrets has any security advantages?

I have an arbitrarily sized group of secrets. The secrets are kept in separate files in a folder. They periodically and automatically change. I want to make all of them available to a Docker container. Using a bind mount, I can mount their folder and they will all be accessible. Using secrets, I would have to specify each one in the Docker Compose file, increasing coupling and reducing maintainability. Is there any reason I should choose to go with secrets at the cost of maintainability?

Answer 1

I was thinking the same recently, not wanting to actually use Docker Swarm or running anything distributed. In my case, the starting point was a project using .env containing secrets. If you have a simple Docker Compose project, there is no added value from using Docker secrets managed via docker secret. Note that without actually being a Swarm manager, you cannot even create secrets with docker secret!

Unbeknownst to many, Docker Compose actually has support for mounting secrets just like Docker Swarm, with the exception that it only works for local files. So this would be a valid Docker Compose config:

version: "3.9"

services:
   db:
     image: mysql:latest
     volumes:
       - db_data:/var/lib/mysql
     environment:
       MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD_FILE: /run/secrets/db_password
     secrets:
       - db_root_password
       - db_password

   wordpress:
     depends_on:
       - db
     image: wordpress:latest
     ports:
       - "8000:80"
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
     secrets:
       - db_password

secrets:
   db_password:
     file: db_password.txt
   db_root_password:
     file: db_root_password.txt

volumes:
    db_data:

You don't really gain a lot of extra security or added value here, apart from the fact that you separate the volumes and other types of configuration (via env) from the secrets, which provides a little bit of extra safeguard against accidentally committing a secret to a repository, or mounting the wrong file to the wrong container, etc.