Podman Create Secret: 3 Easy Methods

Estimated reading time: 6 minutes

Last updated on October 28th, 2024 at 12:28 am

Securing sensitive data is the key requirement when you run the containerized application in Podman. The developer struggled to find a way to securely store sensitive data and ended up hardcoding the secret inside the image or accidentally leaking the data.

Let’s check in detail about the “Podman Create Secret” command to manage sensitive data in your container application securely.

Why Use Podman Secrets?

Before answering why use Podman let’s check the methods to store the sensitive data and the associated problems.

Store Sensitive Data in Containers

Hardcoding Secrets in Image:

This is bad practice, avoid it at all costs. Storing the secrets inside the container image can expose those secret data to anyone with access to that image.

Store Secrets in Environment Variable:

Writing and exporting the secrets as environment variables seems convenient, but there’s a catch. When you use the environment variable, ps aux or inside the container logs this data is visible.

Mounting File as Secrets:

Mounting files as secrets is a good idea but proper file permission is crucial. Wrong file permission can expose the secrets to the attackers.

Podman Cheat Sheet

FREE Podman Cheat Sheet (Everything You Need, In One Place)

This is the last Podman Cheat Sheet you’ll ever need. Why?
Because it’s not just a list of commands—it’s a shortcut to make your work easier, faster, and more effective.

Stop wasting time digging through documentation. With this cheat sheet, you’ll get exactly what you need, right when you need it.

Advantages of Podman Create Secret

Enhanced Security:

Podman stores the secrets separately from the container image, as we have seen hardcoding the secrets inside the image is bad practice.

Centralized Managed:

Podman uses centralized storage for sensitive data and secrets making it easy to use and mount them while running the containers.

Easy Workflow:

Podman provides convenient commands to manage your secrets easily. Podman create secret, list secret, or inspect secret are easy to integrate with your CICD workflow.

Podman Create Secret: Step-by-Step Guide

Let’s check the step-by-step guide for creating the secrets with Podman, before that check the below prerequisites.

Make sure you have the Podman installed in your system before you can follow along. If you want to install the Podman you can follow the official Podman documentation.

If you want to utilize the new feature and platform-specific build check the below article:

Build Podman from Source: 5 Easy Steps

Create a Secret from a File

You can create a file with the password, API Keys, or other sensitive data and use it with podman create secret command:

Bash
# Echo the sensitive data to file
echo -n super_duper_secret > ./secret.txt

# Use the above file to create secret
podman secret create super_secret ./secret.txt

Podman will create the secret super_secret from the file secret.txt

Create a Secret from Standard Input

You can pipe the standard input stdin data to the Podman command:

Bash
printf "super_duper_secret" | podman secret create super_secret -

Create a Secret from the Environment Variable

You can create the Podman secret with the environment variable by passing the additional option --env=true

Bash
podman secret create --env=true super_secret SUPER_DUPER_SECRET

Podman creates the secret super_secret from the already available environment variable SUPER_DUPER_SECRET

Create a Secret from GPG Encryption

Podman provides the support for the GPG encryption for an extra layer of security:

Bash
podman secret create --driver=pass super_secret ./secret.txt.gpg

Podman Create Secret Drivers
Podman Create Secret Drivers

Advanced Podman Secret Management

Apart from creating Podman secrets, Podman provides easy-to-use commands for managing the secrets. Let’s check the additional Podman Secrets commands:

List Existing Secrets

You can list all your available secrets in Podman with:

Bash
podman secret ls

# List secrets but format name only.
podman secret ls --format "{{.Name}}"

Inspect Podman Secrets

Once you create the Podman secrets, you might want to check secrets-related metadata or the secret data:

Bash
podman secret inspect super_secret

# Inspect the secret along with the secret data
podman secret inspect --showsecret super_secret

By default, Podman doesn’t expose the actual secret value but if you want to inspect the secret with real data you can pass an additional option --showsecret

Remove Podman Secrets

Podman provides a way to remove the secrets from the system.

Podman provides a safe method to remove the secrets. Podman copied the secret data and mounted them inside the container, so even if you remove the Podman secret it will be unaffected as the old secret is still present.

Bash
podman secret rm super_secret

# You can remove multiple secrets at once
podman secret rm super_secret1 super_secret2 super_secret3
Podman Cheat Sheet

FREE Podman Cheat Sheet (Everything You Need, In One Place)

This is the last Podman Cheat Sheet you’ll ever need. Why?
Because it’s not just a list of commands—it’s a shortcut to make your work easier, faster, and more effective.

Stop wasting time digging through documentation. With this cheat sheet, you’ll get exactly what you need, right when you need it.

Best Practices for Podman Create Secret

Let’s discuss the best practices for “Podman Create Secret”

Least Privilege Principle:

Only grant the bare-minium permission and secrets that the container requires. Don’t be too permissive while giving access.

This reduces the attack surface if the container is compromised.

Use Strong & Unique Secrets:

Don’t rely on the default password instead opt in for a strong and complex password that combines letters, numbers, and special characters.

Avoid reusing the same secrets across the environments, use unique secrets for each container and service. You can use the strong password generator for this.

Regular Secrets Rotation:

Set up the regular secret rotation policy for your container environment. Regular rotation protects your system from the potential data breach. Even if your sensitive secrets are exposed the validity of the secrets reduces the blast radius.

The best practice is to integrate the secret rotation within your CICD pipeline for automated management.

Use external Secret Management:

You can use cloud-based secret management services from the public cloud such as AWS, Azure, and GCP.

Podman Create Secret: 3 Easy Methods
Podman Create Secret: Cloud Provider

AWS Key Management Service (KMS)

Azure Disk Encryption for Linux (ADE)

Google Cloud KMS

Conclusion:

Podman Create Secret provides an easy-to-manage way to create, list, and inspect secrets. Podman provides various drivers such as file, pass and shell to create and manage the secrets within the Podman and mount them to the container.

Additionally, follow the best practices to enhance the overall security posture of your container applications. Security is a continuous process, regularly review and audit your security practice and logs and keep them improving.

Podman Cheat Sheet

FREE Podman Cheat Sheet (Everything You Need, In One Place)

This is the last Podman Cheat Sheet you’ll ever need. Why?
Because it’s not just a list of commands—it’s a shortcut to make your work easier, faster, and more effective.

Stop wasting time digging through documentation. With this cheat sheet, you’ll get exactly what you need, right when you need it.

Kashyap Merai
Kashyap Merai

Kashyap Merai, a Certified Solution Architect and Public Cloud Specialist with over 7 years in IT. He helped startups in Real Estate, Media Streaming, and On-Demand industries launch successful public cloud projects.

Passionate about Space, Science, and Computers, He also mentors aspiring cloud engineers, shaping the industry's future.

Connect with him on LinkedIn to stay updated on cloud innovations.