on the volume containing the Docker root directory on the host machine to
ensure that secrets for running containers are encrypted at rest.
- Secret files with custom targets are not directly bind-mounted into Windows
containers, since Windows does not support non-directory file bind-mounts.
Instead, secrets for a container are all mounted in
`C:\ProgramData\Docker\internal\secrets` (an implementation detail which
should not be relied upon by applications) within the container. Symbolic
links are used to point from there to the desired target of the secret within
the container. The default target is `C:\ProgramData\Docker\secrets`.
- When creating a service which uses Windows containers, the options to specify
UID, GID, and mode are not supported for secrets. Secrets are currently only
accessible by administrators and users with `system` access within the
container.
## How Docker manages secrets
When you add a secret to the swarm, Docker sends the secret to the swarm manager
over a mutual TLS connection. The secret is stored in the Raft log, which is
encrypted. The entire Raft log is replicated across the other managers, ensuring
the same high availability guarantees for secrets as for the rest of the swarm
management data.
When you grant a newly-created or running service access to a secret, the
decrypted secret is mounted into the container in an in-memory filesystem. The
location of the mount point within the container defaults to
`/run/secrets/<secret_name>` in Linux containers, or
`C:\ProgramData\Docker\secrets` in Windows containers. You can also specify a
custom location.
You can update a service to grant it access to additional secrets or revoke its
access to a given secret at any time.
A node only has access to (encrypted) secrets if the node is a swarm manager or
if it is running service tasks which have been granted access to the secret.
When a container task stops running, the decrypted secrets shared to it are
unmounted from the in-memory filesystem for that container and flushed from the
node's memory.
If a node loses connectivity to the swarm while it is running a task container
with access to a secret, the task container still has access to its secrets, but
cannot receive updates until the node reconnects to the swarm.
You can add or inspect an individual secret at any time, or list all
secrets. You cannot remove a secret that a running service is
using. See [Rotate a secret](secrets.md#example-rotate-a-secret) for a way to
remove a secret without disrupting running services.
To update or roll back secrets more easily, consider adding a version
number or date to the secret name. This is made easier by the ability to control
the mount point of the secret within a given container.
## Read more about `docker secret` commands
Use these links to read about specific commands, or continue to the
[example about using secrets with a service](secrets.md#simple-example-get-started-with-secrets).
- [`docker secret create`](/reference/cli/docker/secret/create.md)
- [`docker secret inspect`](/reference/cli/docker/secret/inspect.md)
- [`docker secret ls`](/reference/cli/docker/secret/ls.md)
- [`docker secret rm`](/reference/cli/docker/secret/rm.md)
- [`--secret`](/reference/cli/docker/service/create.md#secret) flag for `docker service create`
- [`--secret-add` and `--secret-rm`](/reference/cli/docker/service/update.md#secret-add) flags for `docker service update`
## Examples
This section includes three graduated examples which illustrate how to use
Docker secrets. The images used in these examples have been updated to make it
easier to use Docker secrets. To find out how to modify your own images in
a similar way, see
[Build support for Docker Secrets into your images](#build-support-for-docker-secrets-into-your-images).
> [!NOTE]
>
> These examples use a single-Engine swarm and unscaled services for
> simplicity. The examples use Linux containers, but Windows containers also
> support secrets. See [Windows support](#windows-support).