Rotate Secrets.
Zero Downtime.
Open-source Docker plugin that rotates credentials automatically — no restarts, no manual scripts, no downtime.
The problem
Secret rotation today
breaks production.
Teams choose: rotate and accept downtime, or skip rotation and accept risk.
Secret Changes
Password rotated in your secret provider.
Manual Restart
Team scrambles to restart containers manually.
Connections Drop
Active requests fail. Customers see errors.
On-Call Panic
Incident channel lights up. Pages go out.
The result
Downtime, failed requests, customer impact. Many teams skip rotation entirely — leaving secrets unchanged for months. That's worse.
Architecture
How DSO works
An event-driven engine between your secret provider and containers — credentials rotate without touching traffic.
Developer
Triggers rotation
Secret Provider
AWS / Vault / Azure / Huawei
DSO Engine
Orchestrates zero-downtime swap
Docker Compose
Container lifecycle
Running Containers
Seamlessly updated
Developer
Triggers rotation
Secret Provider
AWS / Vault / Azure / Huawei
DSO Engine
Orchestrates zero-downtime swap
Docker Compose
Container lifecycle
Running Containers
Seamlessly updated
Lifecycle
Secret lifecycle
Every secret follows a controlled path from creation to destruction. DSO manages every step automatically.
Create
Secret is created in your provider with appropriate permissions and policies.
Capabilities
What DSO delivers
Runtime Injection
Secrets injected at container start — never baked into images or configs.
Zero Persistence
Nothing written to disk. Secrets exist only in container memory at runtime.
Automatic Rotation
Detect, rotate, and verify — completely hands-free. Rollback on failure.
Provider Plugins
Swap providers without changing application code. AWS, Vault, Azure, Huawei.
Docker Native
Built for Docker Compose. No Kubernetes, no cloud lock-in, no agents.
Audit Ready
Complete rotation audit trail. Every event logged, timestamped, traceable.
Integrations
Works with your
secret provider
Swap providers without changing application code.
HashiCorp Vault
Self-hosted or HCP Vault with full TLS and audit trail support.
AWS Secrets Manager
Native AWS integration with IAM-based access and automatic versioning.
Azure Key Vault
Microsoft Azure managed secret storage with Azure AD RBAC.
Huawei Cloud CSMS
NewCloud Secret Management Service for Huawei Cloud workloads.
Local Vault
Encrypted local store for dev and air-gapped environments. No cloud needed.
CLI
Built for operators
Full lifecycle control from the command line. Works with your existing Docker workflow.
Install in one command
docker dso setupInteractive setup wizard
docker dso upDeploy stack with secret injection
docker dso statusShow runtime operational status
docker dso sync --secret <name>Trigger immediate synchronization
docker dso validateValidate DSO configuration
docker dso diffShow config vs deployed diff
docker dso logsView DSO agent logs
docker dso secret set <path>Store a secret in local vault
Security
Security guarantees
Hard architectural constraints — not aspirations.
Zero disk persistence
Nothing written to disk, files, or databases. Secrets exist only in container memory.
Runtime-only injection
Credentials fetched from your provider at container start. DSO is a conduit, not a store.
Automatic cleanup
On container stop or rotation, in-memory secrets are purged immediately.
Encrypted in transit
All provider communication uses TLS with certificate verification. No plaintext secrets.
Least privilege
DSO requests only the secrets it needs, with minimum required permissions per provider IAM.
Rollback on failure
If a new container fails health checks, DSO rolls back automatically to the last known good state.
Start rotating secrets
in minutes.
No manual scripts. No container restarts. No downtime. One command to install, one command to start.