podman-build/docs/build/man/podman-secret-create.1

.nh
.TH podman-secret-create 1
.SH NAME
podman-secret-create \- Create a new secret

.SH SYNOPSIS
\fBpodman secret create\fP [\fIoptions\fP] \fIname\fP \fIfile|-\fP

.SH DESCRIPTION
Creates a secret using standard input or from a file for the secret content.

.PP
Create accepts a path to a file, or \fB-\fR, which tells podman to read the secret from stdin

.PP
A secret is a blob of sensitive data which a container needs at runtime but
is not stored in the image or in source control, such as usernames and passwords,
TLS certificates and keys, SSH keys or other important generic strings or binary content (up to 512 kB in size).

.PP
Secrets are not committed to an image with \fBpodman commit\fR, and do not get committed in the archive created by a \fBpodman export\fR command.

.PP
Secrets can also be used to store passwords for \fBpodman login\fR to authenticate against container registries.

.SH OPTIONS
.SS \fB--driver\fP, \fB-d\fP=\fIdriver\fP
Specify the secret driver (default \fBfile\fP).

.SS \fB--driver-opts\fP=\fIkey1=val1,key2=val2\fP
Specify driver specific options.

.SS \fB--env\fP=\fIfalse\fP
Read secret data from environment variable.

.SS \fB--help\fP
Print usage statement.

.SS \fB--ignore\fP=\fIfalse\fP
If a secret with the same name already exists, do not return an error and return the existing secret's ID instead of creating a new one.
Cannot be used with \fB--replace\fR\&.
The default is \fBfalse\fP\&.

.SS \fB--label\fP, \fB-l\fP=\fIkey=val1,key2=val2\fP
Add label to secret. These labels can be viewed in podman secrete inspect or ls.

.SS \fB--replace\fP=\fIfalse\fP
If existing secret with the same name already exists, update the secret.
The \fB--replace\fR option does not change secrets within existing containers, only newly created containers.
Cannot be used with \fB--ignore\fR\&.
 The default is \fBfalse\fP\&.

.SH SECRET DRIVERS
.SS file
Secret resides in a read-protected file.

.SS pass
Secret resides in a GPG-encrypted file.

.SS shell
Secret is managed by custom scripts. An environment variable \fBSECRET_ID\fP
is passed to the scripts (except for \fBlist\fP), and secrets are communicated
via stdin/stdout (where applicable). Driver options \fBlist\fP, \fBlookup\fP,
\fBstore\fP, and \fBdelete\fP serve to install the scripts:

.EX
[secrets]
driver = "shell"

[secrets.opts]
list =
lookup =
store =
delete =
.EE

.SH EXAMPLES
Create the specified secret based on a local file.

.EX
echo -n mysecret > ./secret.txt
$ podman secret create my_secret ./secret.txt
.EE

.PP
Create the specified secret via stdin.

.EX
$ printf <secret> | podman secret create my_secret -
.EE

.PP
Create or rotate a cryptographically secure random secret just under the maximum \fB512000\fR bytes via stdin.

.EX
openssl rand -base64 378000 | podman secret create --replace my_secret -
.EE

.PP
Mount a local file-based secret securely in a container.

.EX
podman run --rm --secret source=my_secret,type=mount,uid=1001,gid=1001,mode=440 docker.io/library/alpine ls -l /run/secrets/my_secret
.EE

.PP
Create gpg encrypted secret based on a local file using the pass driver.

.EX
$ podman secret create --driver=pass my_secret ./secret.txt.gpg
.EE

.PP
Create a secret from an environment variable called 'MYSECRET'.

.EX
$ podman secret create --env=true my_secret MYSECRET
.EE

.SH SEE ALSO
\fBpodman(1)\fP, \fBpodman-secret(1)\fP, \fBpodman-login(1)\fP, \fBpodman-run(1)\fP

.SH HISTORY
.IP \(bu 2
January 2021, Originally compiled by Ashley Cui acui@redhat.com
\[la]mailto:acui@redhat.com\[ra]
.IP \(bu 2
February 2024, Added example showing secret creation from an environment variable by Brett Calliss brett@obligatory.email
\[la]mailto:brett@obligatory.email\[ra]
.IP \(bu 2
May 2025, Added example showing secure secret generation / rotation & mounting by Stuart Cardall