Docker NativeOpen SourceZero Downtime

Rotate Secrets.
Zero Downtime.

Open-source Docker plugin that rotates credentials automatically — no restarts, no manual scripts, no downtime.

curl -fsSL https://raw.githubusercontent.com/docker-secret-operator/dso/main/scripts/install.sh | bash
dso — bash
$
Zero
Downtime
5
Secret Providers
0 bytes
Disk Writes
Auto
Rotation
~50 MB
Memory Footprint

The problem

Secret rotation today
breaks production.

Teams choose: rotate and accept downtime, or skip rotation and accept risk.

Secret Changes

Password rotated in your secret provider.

T+0s

Manual Restart

Team scrambles to restart containers manually.

T+5m

Connections Drop

Active requests fail. Customers see errors.

T+7m

On-Call Panic

Incident channel lights up. Pages go out.

T+10m

The result

Downtime, failed requests, customer impact. Many teams skip rotation entirely — leaving secrets unchanged for months. That's worse.

Architecture

How DSO works

An event-driven engine between your secret provider and containers — credentials rotate without touching traffic.

Developer

Triggers rotation

Secret Provider

AWS / Vault / Azure / Huawei

DSO Engine

Orchestrates zero-downtime swap

Docker Compose

Container lifecycle

Running Containers

Seamlessly updated

Lifecycle

Secret lifecycle

Every secret follows a controlled path from creation to destruction. DSO manages every step automatically.

Create

Secret is created in your provider with appropriate permissions and policies.

Capabilities

What DSO delivers

Runtime Injection

Secrets injected at container start — never baked into images or configs.

Zero Persistence

Nothing written to disk. Secrets exist only in container memory at runtime.

Automatic Rotation

Detect, rotate, and verify — completely hands-free. Rollback on failure.

Provider Plugins

Swap providers without changing application code. AWS, Vault, Azure, Huawei.

Docker Native

Built for Docker Compose. No Kubernetes, no cloud lock-in, no agents.

Audit Ready

Complete rotation audit trail. Every event logged, timestamped, traceable.

CLI

Built for operators

Full lifecycle control from the command line. Works with your existing Docker workflow.

Install in one command

$curl -fsSL https://raw.githubusercontent.com/docker-secret-operator/dso/main/scripts/install.sh | bash
docker dso setup

Interactive setup wizard

docker dso up

Deploy stack with secret injection

docker dso status

Show runtime operational status

docker dso sync --secret <name>

Trigger immediate synchronization

docker dso validate

Validate DSO configuration

docker dso diff

Show config vs deployed diff

docker dso logs

View DSO agent logs

docker dso secret set <path>

Store a secret in local vault

dso — bash
$

Security

Security guarantees

Hard architectural constraints — not aspirations.

Zero disk persistence

Nothing written to disk, files, or databases. Secrets exist only in container memory.

Runtime-only injection

Credentials fetched from your provider at container start. DSO is a conduit, not a store.

Automatic cleanup

On container stop or rotation, in-memory secrets are purged immediately.

Encrypted in transit

All provider communication uses TLS with certificate verification. No plaintext secrets.

Least privilege

DSO requests only the secrets it needs, with minimum required permissions per provider IAM.

Rollback on failure

If a new container fails health checks, DSO rolls back automatically to the last known good state.

Start rotating secrets
in minutes.

No manual scripts. No container restarts. No downtime. One command to install, one command to start.