CLI: Secret

The secret command allows you to manage secrets within your Local Mode vault.

Subcommands

1. secret set

Adds or updates a secret in the local vault.

docker dso secret set <project>/<path> <value>

Example:

echo "s3cr3t" | docker dso secret set myapp/db_password

2. secret get

Retrieves a secret value (masked by default).

docker dso secret get <project>/<path>

Options:

--newline, -n

Append newline to output

3. secret list

Lists all keys currently stored in the vault.

docker dso secret list [project]

Example:

docker dso secret list myapp

4. secret rm

Removes a secret from the vault.

docker dso secret rm <project>/<path>

Example:

docker dso secret rm myapp/db_password

5. env import

Bulk-import secrets from a .env file into the vault.

docker dso env import <file> [project]

Example:

docker dso env import .env.local myapp

Input file format:

DB_HOST=localhost
DB_USER=postgres
DB_PASSWORD=mysecret

Common Workflow

# Initialize vault first
docker dso init
# Set a secret
docker dso secret set myapp/api_key "sk-1234567890"
# View a secret (masked)
docker dso secret get myapp/api_key
# List all secrets in project
docker dso secret list myapp
# Import from .env file
docker dso env import .env.prod myapp

Best Practices

  • Use project namespaces to organize secrets (e.g., myapp/db_password)
  • Never commit secrets to version control
  • Use pipes for sensitive input: echo "secret" | docker dso secret set
  • Regularly audit secrets with docker dso secret list

Related Commands