close
Share feedback
Answers are generated based on the documentation.

docker pass

DescriptionManage your local OS keychain secrets.
Usagedocker pass set|get|ls|rm

Experimental

This command is experimental.

Experimental features are intended for testing and feedback as their functionality or design may change between releases without warning or can be removed entirely in a future release.

Description

Docker Pass is a helper for securely storing secrets in your local OS keychain and injecting them into containers when needed. It uses platform-specific credential storage:

  • Windows: Windows Credential Manager API
  • macOS: Keychain services API
  • Linux: org.freedesktop.secrets API (requires DBus + gnome-keyring or kdewallet)

Secrets can be injected into running containers at runtime using the se:// URI scheme.

Examples

Using keychain secrets in containers

Create a secret:

$ docker pass set GH_TOKEN=123456789

Create a secret from STDIN:

echo "my_val" | docker pass set GH_TOKEN

Run a container that uses the secret:

$ docker run -e GH_TOKEN= -dt --name demo busybox

Inspect the secret from inside the container:

$ docker exec demo sh -c 'echo $GH_TOKEN'
123456789

Explicitly assign a secret to a different environment variable:

$ docker run -e GITHUB_TOKEN=se://GH_TOKEN -dt --name demo busybox

Using keychain secrets in Compose

Store the secrets:

$ docker pass set myapp/anthropic/api-key=sk-ant-...
$ docker pass set myapp/postgres/password=s3cr3t

services:
  api:
    image: service1
    environment:
      - ANTHROPIC_API_KEY=se://myapp/anthropic/api-key
      - POSTGRES_PASSWORD=se://myapp/postgres/password

  worker:
    image: service2
    command: worker
    environment:
      - ANTHROPIC_API_KEY=se://myapp/anthropic/api-key

  db:
    image: postgres:17
    environment:
      - POSTGRES_PASSWORD=se://myapp/postgres/password

Subcommands

CommandDescription
docker pass getGet a secret from a keystore.
docker pass lsList all secrets from local keychain.
docker pass rmRemove secrets from local keychain.
docker pass setSet a secret