Dev asks the internet: surely there must be a way to make container secrets less dangerous?

The itch that won't go away

It has been reported that a blogger known as Spots published a plea to the internet after months of fiddling with container secret handling and coming up short. The problem is simple and infuriating: containers commonly expose secrets in predictable places like /run/secrets, and in an era of daily supply‑chain exploits and privilege escalation bugs that feels like a weak link. Spots writes, allegedly with mounting exasperation, that they’d like secrets to be "read‑once then somehow inaccessible" — a feature the Linux kernel doesn't currently provide for plain files.

Workarounds, hacks and the heart of the worry

Friends and colleagues offered the usual toolbox: environment variables, dedicated secret backends, entrypoint tricks. It has been reported that Spots tested mounting an empty tmpfs over /run/secrets after initialization so the app can’t re‑read files later — clever, but hacky. Environment variables keep raising eyebrows, too; they may be even easier for an attacker to exfiltrate than a container file. The emotional core here is clear: this isn't theoretical. It's anxiety — the developer frankly says it’s "driving me mad" — and a search for something more principled than duct tape and prayers.

What the industry can do next

This conversation taps a broader, ongoing trend: teams want short‑lived, hardware‑protected, least‑privilege secrets rather than long‑lived files floating around in container filesystems. Practitioners point to managed secret stores, sidecar injection, and ephemeral credentials as safer patterns, but none are a silver bullet. So what's the next move? Spots has thrown the question back to the community — on the blog and on Libera IRC — and it has been reported that they're hoping someone smarter has an idea that isn't just clever, but actually robust. Got one? Speak up.

Sources: dalmatian.life, Lobsters