Environment variables are a fundamental part of building "Twelve-Factor" applications. They allow you to decouple your configuration from your code. However, managing sensitive information like API keys and database passwords in a Dockerized environment requires careful planning to avoid security leaks.
1. The .env File Approach
During development, using a .env file is the most common method. Docker Compose makes this easy by automatically reading a file named .env in the same directory as your docker-compose.yml.
.env files to version control. Always add them to your .gitignore.
2. Docker Secrets (Production)
For production environments using Docker Swarm, Docker Secrets is the gold standard. It encrypts your sensitive data both at rest and in transit, only mounting it into the container's memory when needed.
3. Environment Injection via CI/CD
In modern cloud environments, environment variables are often injected directly by the CI/CD pipeline (like GitHub Actions or GitLab CI) or the orchestrator (Kubernetes ConfigMaps and Secrets).
Conclusion
Security is about layers. By combining these methods with proper auditing, you can ensure your secrets stay secret while maintaining the flexibility that Docker provides.