How do you handle secrets in Docker?

Secrets management in Docker requires careful handling to avoid embedding sensitive data in images or exposing it in environment variables (visible via docker inspect). Approaches: (1) Docker Secrets (Swarm): docker secret create db_password ./password.txt — stored encrypted in Swarm's Raft store; mounted as a file at /run/secrets/db_password inside containers; only available to services explicitly granted access: docker service create --secret db_password myapp; (2) BuildKit secrets for build time: docker buildx build --secret id=npmrc,src=~/.npmrc . and in Dockerfile: RUN --mount=type=secret,id=npmrc npm install — the secret is available only during that RUN, never in an image layer; (3) Environment variables from secrets manager: at container start, fetch secrets from HashiCorp Vault, AWS SSM Parameter Store, or AWS Secrets Manager and inject as env vars or files; (4) Kubernetes secrets: when in Kubernetes, use K8s secrets with tight RBAC or Sealed Secrets. Never: hardcode secrets in Dockerfile ENV, commit .env files with secrets, pass secrets as --build-arg (visible in docker history). Practice: rotate secrets regularly, use short-lived credentials, audit access logs.