Automatic Secret Rotation
for Docker

Zero downtime. Automatic recovery. No Kubernetes required.

DSO detects secret changes automatically, spawns a healthy new container, swaps traffic atomically, and rolls back on failureβ€”all in 5 seconds. No 3am pages. No operator fatigue.

Trusted by teams managing 100k+ secrets in production

The Problem: Manual Secret Rotation

See what happens without automation, versus with DSO

Without DSO (Status Quo)

0s

Secret expires in provider

1-2s

App tries to use expired secret

πŸ”΄ DOWN

5-10s

Authentication fails

πŸ”΄ DOWN

~15s

Container crashes

πŸ”΄ DOWN

15-20s

Alert fires (incident starts)

⚠️ INCIDENT

20-30m

On-call wakes up, pages alert

30-40m

Manual rollback / restart deployed

With DSO

0s

Secret expires in provider

~1s

DSO detects change automatically

βœ“ UP

~2s

New container spawned (green)

βœ“ UP

~3s

Health checks pass

βœ“ UP

~4s

Traffic swaps atomically

βœ“ UP

~5s

Old container stops

βœ“ UP

~5s

βœ“ Done. Zero downtime.

🟒 ZERO DOWNTIME

5 seconds vs 20 minutes

That's the difference between "rotation" and "incident"

How it works

Three simple steps. Zero code changes. Zero downtime.

Step 1

Detects Change

Watches for secret updates from Vault, AWS, Azure, etc.

Step 2

Rotates Safely

Creates new container, validates health, swaps traffic atomically.

Step 3

Recovers Automatically

If anything fails, rolls back automatically. Your app stays up.

Atomic. Health-Checked. Recoverable.

Every rotation is all-or-nothing. New container must be healthy. If it fails, we roll back automatically.

Zero-Downtime Rotation

5 steps in ~5 seconds

Secret Changes
Watch detected
Spawn Green
New container
Health Check
Validate running
Atomic Swap
Zero downtime
Cleanup
Stop old container

Built for Production

Defense-in-depth security with operational guarantees that keep your app running.

Defense in Depth

Three layers of isolation prevent secrets from reaching untrusted boundaries.

Cloud Boundary

  • AWS Secrets Manager / Azure Key Vault / HashiCorp Vault
  • Encrypted at rest by provider
  • TLS 1.3 encryption in transit
  • Machine identity authentication

Host Boundary

  • dso-agent daemon (systemd service)
  • Secrets in locked memory (mlock)
  • Unix socket isolation (/run/dso/dso.sock)
  • No disk persistence

Container Sandbox

  • tmpfs mount (/run/secrets/)
  • Secrets in RAM only
  • Isolated namespace
  • Auto-cleanup on container stop

Zero-Persistence Guarantee

Plaintext secrets never touch your host filesystem. If the machine loses power or crashes, all secrets vanish instantly with no forensic trace.

Operational Guarantees

Every rotation is atomic, health-checked, and crash-recoverable by default.

Atomic Updates

Atomic Swap

Container swap is all-or-nothing. No partial states, no traffic split, no inconsistency.

Health & Safety

Health-Checked

New container must pass health checks before traffic switches. Bad containers are never promoted.

Recovery

Auto-Rollback

If anything fails during rotation, automatic rollback restores the last known-good container instantly.

Recovery

Crash-Safe

Agent crashes don't lose state. Rotations resume from write-ahead checkpoint on restart.

⚑

Automatic Recovery

Agent crashes? Secrets in flight? DSO detects and recovers automatically. Old rotations are rolled back, containers are cleaned up, and state is validated on restart. Most incidents need zero operator intervention.

Dual-Mode Execution

Start local. Scale to cloud. Use the same CLI workflow in every environment.

Local

Development

DSO CLI
docker dso
Local Vault
~/.dso/vault.enc
Injection
In-Memory RAMfs

No cloud dependency. No root required. Perfect for isolated dev environments.

Cloud Mode

Production

DSO CLI
docker dso
System Agent
systemd daemon
Providers
AWS/Azure/Vault
Injection
Production Stack

Enterprise-grade rotation. Managed identity support. Multi-cloud plugins.

Agent Architecture

Seven coordinated components orchestrate secret rotation and recovery.

dso-agent
Core daemon
IPC Controller
Unix socket
Docker Event
Watcher
Rotation
Engine
State
Manager
Distributed
Lock
Plugin
Manager

Key Interactions

β†’IPC Controller: CLI commands & queries
β†’Watcher: Docker event stream
β†’Engine: Orchestrates rotations
β†’State Manager: Write-ahead logs
β†’Lock Manager: Distributed coordination
β†’Plugin Manager: Provider isolation

Get started in 2 minutes

Copy, paste, done. Three commands.

1
curl -fsSL https://raw.githubusercontent.com/docker-secret-operator/dso/main/scripts/install.sh | sudo bash

Install the DSO Docker plugin

2
docker dso init && docker dso secret set DB_PASSWORD your-secret

Initialize your local vault and set your first secret

3
docker compose up -d

Start your Docker stack. DSO handles secret rotation.

βœ“ Running β€’ Secrets rotating automatically β€’ Zero downtime

Automatic Rotation

Detects secret changes and rotates containers without manual intervention.

Health-Checked Updates

New containers pass health checks before traffic switches. Failed rotations roll back.

Recovery Built In

Crashes don't cause incidents. DSO resumes from checkpoint on restart.

Docker Native

Works with Docker Engine directly. No Kubernetes required.

Ready to automate secret rotation?

Install DSO and deploy your first automated rotation in minutes.

Install DSORead Documentation