0

What is the difference between storing secrets as a podman secret and storing them in an environment file? In what way is the secret more secure, if at all?

In other words,

podman secret create my_secrets envfile
...
podman run --secret source=my_secret,type=mount,...

after which the code that runs does source /run/secrets/my_secret prior to executing the service which needs the secrets defined through environment vars

versus

podman run --env-file=envfile ...

and the service code that runs finds the environment variables defined.

I'm using rootless podman. THe envfile is as secure as the account which does the podman run. I can see that the secret is defined in a json file in the podman images storage location, with protection such that only this user can access it. Same for the envfile.

nigel222
  • 151

1 Answers1

0

Both have many differences, however major difference is in use case.

Use --env-file for non-sensitive configuration that can be shared openly and doesn’t require secure storage.

Use --secret for sensitive data to leverage Podman’s secure storage and minimize exposure risks.

For container cloning, consider baking non-sensitive variables into the image or reapplying the same --env-file or --secret to the cloned container to maintain consistency.

asktyagi
  • 3,038