[sgnnseven]

Keep them away from the container and use one or more of the following:

- A vault (Conjur, HCV, something else)

- A built-in credential service that comes with your cloud

- A sidecar that injects credentials or authenticates connections to the backend directly (Secretless Broker, service meshes, etc)

If you are doing a poor man's solution, mounted tmpfs volumes that contain secrets are not terrible (but they're not really that much safer than env vars).

[richardwhiuk]

Keep them away from the container image

[sgnnseven]

Keep them away from both the image and the container! Getting env var values dumped for a process is trivial outside of the process and even easier within the container process space.

[PowerBar]

It astounds me how many developers don't realize just how many places environment variables end up, even on a properly functioning server.

common info pages (ex: phpinfo), core dumps, debug errors and logs are notorious for containing them. And those aren't even counting the ways a malicious actor can persuade a program to provide them.